Welcome, Guest. Please login or register.
March 28, 2024, 03:29:30 PM

Login with username, password and session length

Search:     Advanced search
we're back, baby
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  General Discussion  |  Topic: The GDPR and You 0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 Go Down Print
Author Topic: The GDPR and You  (Read 20882 times)
Yegolev
Moderator
Posts: 24440

2/10 WOULD NOT INGEST


WWW
on: May 25, 2018, 08:35:31 AM

The GDPR email storm is going strong today.

Why am I homeless?  Why do all you motherfuckers need homes is the real question.
They called it The Prayer, its answer was law
Mommy come back 'cause the water's all gone
HaemishM
Staff Emeritus
Posts: 42628

the Confederate flag underneath the stone in my class ring


WWW
Reply #1 on: May 25, 2018, 08:56:51 AM

As are the phone/tablet app updates.

Yegolev
Moderator
Posts: 24440

2/10 WOULD NOT INGEST


WWW
Reply #2 on: May 25, 2018, 09:35:10 AM

Mild interest in a GDPR thread, but this may suffice:
https://gdprhallofshame.com/

US Capitalism crashes against the wall of EU do-goodery.

Why am I homeless?  Why do all you motherfuckers need homes is the real question.
They called it The Prayer, its answer was law
Mommy come back 'cause the water's all gone
Ard
Terracotta Army
Posts: 1887


Reply #3 on: May 25, 2018, 09:57:23 AM

The GDPR email storm is going strong today.

The funny part to me is that almost none of them are mentioning that it's because of GDPR.  It's like they think if they hide what's going on, they won't get frivolously sued for a large chunk of their net income.
Yegolev
Moderator
Posts: 24440

2/10 WOULD NOT INGEST


WWW
Reply #4 on: May 25, 2018, 12:02:24 PM

As a US citizen, I assume my options are limited.

Why am I homeless?  Why do all you motherfuckers need homes is the real question.
They called it The Prayer, its answer was law
Mommy come back 'cause the water's all gone
calapine
Terracotta Army
Posts: 7352

Solely responsible for the thread on "The Condom Wall."


Reply #5 on: May 25, 2018, 12:50:58 PM

The GDPR email storm is going strong today.

What's ironic is that most of those emails are not necessary. If there is customer relationship with the recipient - ie. you bought a product, use their service, etc - than an opt-in is NOT required. Opt-in for a newsletter is only mandatory for non-customers.

Hard to understand so many companies aren't aware of it. I know it and I neither have a business nor am I some super genius.
« Last Edit: May 25, 2018, 12:55:55 PM by calapine »

Restoration is a perfectly valid school of magic!
Sir T
Terracotta Army
Posts: 14223


Reply #6 on: May 25, 2018, 01:31:20 PM

They might be just using it as an excuse to try and get people to sign up for stuff.

Hic sunt dracones.
Trippy
Administrator
Posts: 23611


Reply #7 on: May 25, 2018, 01:54:14 PM

The GDPR email storm is going strong today.

What's ironic is that most of those emails are not necessary. If there is customer relationship with the recipient - ie. you bought a product, use their service, etc - than an opt-in is NOT required. Opt-in for a newsletter is only mandatory for non-customers.

Hard to understand so many companies aren't aware of it. I know it and I neither have a business nor am I some super genius.
That's not correct. You don't need to "re-consent" if your original consent meets GDPR requirements, which basically none of them did cause they were all opt-out not opt-in. There are also other requirements like having the consent be separate from other things like Terms and Conditions which were probably not followed as well.

calapine
Terracotta Army
Posts: 7352

Solely responsible for the thread on "The Condom Wall."


Reply #8 on: May 25, 2018, 03:36:26 PM

So this (quote from wired) is wrong?

Quote
But, it turns out, most of these emails are pointless. "In the UK it has been the law since 2003 that you can only send a marketing email to an individual recipient when they have consented to receive it or you have an existing customer relationship with them and have offered them the opportunity to opt out," explains Jon Baines, data protection advisor at law firm Mishcon de Reya.

Directive 2002/58/EC  (Directive on privacy and electronic communications)
Quote
(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services, but only by the same company that has obtained the electronic contact details in accordance with Directive 95/46/EC. When electronic contact details are obtained, the customer should be informed about their further use for direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage. This opportunity should continue to be offered with each subsequent direct marketing message, free of charge, except for any costs for the transmission of this refusal.

Restoration is a perfectly valid school of magic!
Trippy
Administrator
Posts: 23611


Reply #9 on: May 25, 2018, 04:03:13 PM

I believe so. My understanding is GDPR consent requirements are a superset of the earlier EU requirements. So even if you met the earlier requirements that doesn't mean you meet the current requirements and you have to re-consent.

https://www.compliancejunction.com/gdpr-require-new-consent-existing-clients/

Quote
That being said, the GDPR has introduced a number of new standards regarding consent that are more detailed. You will need to ensure that your organization complies with these regulations. Below, we list and briefly describe some of the most important points that must be adhered to. If the manner in which your organization previously acquired consent does not meet these standards, then your existing consent is not sufficient and is therefore not GDPR compliant.
I.e. there's no "grandfathered" clause for the previous consent requirements.

calapine
Terracotta Army
Posts: 7352

Solely responsible for the thread on "The Condom Wall."


Reply #10 on: May 25, 2018, 04:20:50 PM

Hmmm. I'll have to ask around then before I repeat any misinformation. Will report back.

Edit: Wait, this politico article that is quoting a Belgian official says the same:

Quote
“There is a lot of fuss about this … In a lot of cases they don’t need this consent,” said Willem Debeuckelaere, Belgian data protection chief and deputy chair of the newly created European Data Protection Board that will coordinate privacy enforcement across Europe.

Companies don’t need consent to send marketing emails to existing customers. Nor do they need consent to send non-marketing material, according to Debeuckelaere. The only situation in which a company needs to ask for additional consent is when it sends marketing emails to contacts that are not existing customers.

https://www.politico.eu/article/those-gdpr-emails-you-got-all-for-nothing-general-data-protection-regulation/
« Last Edit: May 25, 2018, 04:23:49 PM by calapine »

Restoration is a perfectly valid school of magic!
Teleku
Terracotta Army
Posts: 10510

https://i.imgur.com/mcj5kz7.png


Reply #11 on: May 25, 2018, 06:45:46 PM

I haven’t been following this too much.  How exactly are they enforcing this?  Does it only effect countries that have a physical footprint in the EU?  It would be pretty fucked up to have a web site that’s entirely based in the US to have to comply with any EU regs for their citizens who visit it, so I imagine not.  But I’m seeing things about all sorts of US news sites blocking EU people.

"My great-grandfather did not travel across four thousand miles of the Atlantic Ocean to see this nation overrun by immigrants.  He did it because he killed a man back in Ireland. That's the rumor."
-Stephen Colbert
Chimpy
Terracotta Army
Posts: 10618


WWW
Reply #12 on: May 25, 2018, 07:33:22 PM

I haven’t been following this too much.  How exactly are they enforcing this?  Does it only effect countries that have a physical footprint in the EU?  It would be pretty fucked up to have a web site that’s entirely based in the US to have to comply with any EU regs for their citizens who visit it, so I imagine not.  But I’m seeing things about all sorts of US news sites blocking EU people.

Because the internet has removed the "physical location" of the business from the equation, it is for anywhere.

It is written as spplying to EU residents, not citizens.

It has not been litigated yet so there is really no information on how the enforcement will work.

If you have a "resaonably valid business reason" for keeping data (or a separate legal/regulatory requirement to keep the data) then you do not have to "delete" people. What you, as an organization, DO need to do is stop collecting additional data on the person and refrain from using the data in marketing purposes or disseminating it to other parties.

I sat through a couple of sessions at a conference last week where the chief legal counsel for a major software company talked about how they went about their GDPR compliance. It was pretty interesting.

'Reality' is the only word in the language that should always be used in quotes.
Sky
Terracotta Army
Posts: 32117

I love my TV an' hug my TV an' call it 'George'.


Reply #13 on: May 25, 2018, 07:38:21 PM

Sir T
Terracotta Army
Posts: 14223


Reply #14 on: May 26, 2018, 10:00:57 AM


Hic sunt dracones.
calapine
Terracotta Army
Posts: 7352

Solely responsible for the thread on "The Condom Wall."


Reply #15 on: May 26, 2018, 10:25:31 AM


Restoration is a perfectly valid school of magic!
Ironwood
Terracotta Army
Posts: 28240


Reply #16 on: May 29, 2018, 02:28:45 AM

You have no idea how much money Microsoft are making over GDPR.  Trust me on this.

It's no wonder they're throwing it worldwide.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Yegolev
Moderator
Posts: 24440

2/10 WOULD NOT INGEST


WWW
Reply #17 on: May 29, 2018, 05:24:09 AM

OK, I'll bite.  I'm going to guess "consulting" since that's usually the answer of how someone makes money in IT.

Why am I homeless?  Why do all you motherfuckers need homes is the real question.
They called it The Prayer, its answer was law
Mommy come back 'cause the water's all gone
disKret
Terracotta Army
Posts: 244


Reply #18 on: May 29, 2018, 05:33:22 AM

Cloud.
Ironwood
Terracotta Army
Posts: 28240


Reply #19 on: May 29, 2018, 06:10:02 AM

OK, I'll bite.  I'm going to guess "consulting" since that's usually the answer of how someone makes money in IT.

Partly, but mostly in the screamingly large upturn in sales of Azure Information Protection, E3 and E5 Sku's.  You know;  the ones that have encryption and the compliance and security features ?

We've been selling all that shit since last August and even this week I have 3 more large orders for it.   

Upselling.  It's a thing.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Phildo
Contributor
Posts: 5872


Reply #20 on: May 29, 2018, 06:31:52 AM

You're saying some of their licensing ISN'T GDPR compliant?
schild
Administrator
Posts: 60345


WWW
Reply #21 on: May 29, 2018, 06:41:11 AM

It doesn't sound like he's saying that at all. It sounds like he's saying they know how to make money.

Which is fine.
Ironwood
Terracotta Army
Posts: 28240


Reply #22 on: May 29, 2018, 07:20:30 AM

Quite a few sectors have.....overreacted to the requirements.  I'm not going to tell them they don't have to buy my shit, now, am I ?

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Chimpy
Terracotta Army
Posts: 10618


WWW
Reply #23 on: May 29, 2018, 09:28:44 AM

Quite a few sectors have.....overreacted to the requirements.  I'm not going to tell them they don't have to buy my shit, now, am I ?

That’s at least partially because a lot of organizations didn’t pay attention to GDPR at all until the last couple months so they didn’t do the legwork to do data classification and tagging which is the cornerstone of any good data protection strategy. Of course, if data protection were easy I would probably be out of a job.

'Reality' is the only word in the language that should always be used in quotes.
Ironwood
Terracotta Army
Posts: 28240


Reply #24 on: May 29, 2018, 09:49:01 AM

Which is the shit that Azure will actually do for you.  So.  Sale. 

But you don't have to tell me.  I've been presenting workshops, as I say, since August and I'm utterly sick of one useless fucking organisation after another coming in and basically being low information dickholes.

Charities are the only chaps that have it all sorted in my opinion.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Phildo
Contributor
Posts: 5872


Reply #25 on: May 29, 2018, 10:24:49 AM

It doesn't sound like he's saying that at all. It sounds like he's saying they know how to make money.

Which is fine.

I was just concerned because he mentioned E3s specifically and we have one client who insists on using Business Premium licenses instead.  Wanted to make sure they weren't screwing themselves over by being picky in the wrong way.  Seems to just be the built-in encryption option, though, which is available with a separate license.
Ironwood
Terracotta Army
Posts: 28240


Reply #26 on: May 29, 2018, 12:56:15 PM

Except it's not because it doesn't work with the Business Premium version of Office terribly well.  But this is getting boring to everyone, so feel free to PM me if you have concerns.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
calapine
Terracotta Army
Posts: 7352

Solely responsible for the thread on "The Condom Wall."


Reply #27 on: May 29, 2018, 01:57:29 PM

Who do you work for again, Ironwood?

Restoration is a perfectly valid school of magic!
Raph
Developers
Posts: 1472

Title delayed while we "find the fun."


WWW
Reply #28 on: May 29, 2018, 02:22:44 PM

Even standalone Wordpress blog installs got handed a pile of requirements in the last couple of days. New tools for wiping users, new checkboxes on contact forms, turns out the spam detection plugins need consents, need to have a "show me my data" form... and if you use certain plugins, you actually have to hand-code stuff to let people opt out cookie by cookie or something.
Chimpy
Terracotta Army
Posts: 10618


WWW
Reply #29 on: May 29, 2018, 02:33:46 PM

Number one thing to remember when talking about GDPR: don’t trust anyone who says “use our product and be 100% GDPR compliant.”

No piece of software is a magic bullet, and being “compliant” today doesn’t mean you are good tomorrow as the whole thing requires a constant process to evaluate and act on requests and to ensure your data classification continues to be valid. As much as becoming GDPR compliant will suck fora lot of organizations, ones who go through an honest evaluation of how they deal with digital information will be stronger for it. Of course, a lot of organizations will fuck it up royally but those are likely the ones who will come running to Ironwood for help so is that really a bad thing?  why so serious?

'Reality' is the only word in the language that should always be used in quotes.
Teleku
Terracotta Army
Posts: 10510

https://i.imgur.com/mcj5kz7.png


Reply #30 on: May 29, 2018, 06:38:50 PM

I’m still not seeing how this is going to be enforceable to a number of companies responding to it.  There really is a massive overreaction as Ironwood said.  Unless that company has a physical footprint in Europe (and a lot of small American places I’m sure don’t, seem to be responding to this) the EU can’t do anything to them, nor should the EU expect they can apply their laws to them in the first place. 

The fact multi-billion dollar law suits were rolled out against Google and Facebook the day this came into effect makes this seem far more like trade protectionism for EU tech companies against dominate US players than anything.  If any major US company see massive fines due to this, its going to prompt a trade response. 

"My great-grandfather did not travel across four thousand miles of the Atlantic Ocean to see this nation overrun by immigrants.  He did it because he killed a man back in Ireland. That's the rumor."
-Stephen Colbert
NowhereMan
Terracotta Army
Posts: 7353


Reply #31 on: May 30, 2018, 02:10:23 AM

I think the fact Google and Facebook got hit with massive fines surprises exactly no one. Thinking of them as specifically US tech companies also misses those guys' global status, they have offices and employ a shit load of people in Europe and pay about as much in taxes here as they do in the US. This is not aimed at protectionism but is a reaction to the wild west nature of the data market at the moment.

The basic principle of the GDPR is pretty simple: People have a right to how data about them is used and businesses that want to use it need a clear business reason that the customer would expect or affirmative (opt-in) consent. They also need to be clear and understandable for their customers in terms of what that data is being used for.

If I sell you a widget and need to know your address to send you said widget and to send you updated safety or product information for said widget, you buying that widget gives me a valid reason to hold on to your name and address, I can't supply you this service without knowing that. If my widget has a use life of 2 years, I'd probably need to get rid of your info after those 2 years or desperately try to resell you another widget.

If I'm required to verify your age, I can collect your date of birth to show regulatory agencies that all my customers are over 18. I have a legal obligation to collect and keep that data.

If I want to send you marketing information about my widgets+1 and other items, that isn't something that you as a customer would expect from just buying the widget. That's using your data in a way that benefits me and so I need your consent saying you're happy with getting info on other products.

If I have a sister company that sells fast food and often people who buy widgets buy fast food, giving them your info is 100% not something you'd expect as part of the widget buying. Likewise if you give me your permission to use your info for marketing because you just fucking love widgets, you probably wouldn't expect me to send all your personal data in a plain text email to a different company selling a different product. This would require a separate opt-in option to get your consent.

That's just the usage/consent side of things though. It's also required to inform people what data you hold and what you do with it in plain English/*insert language of choice*. Internally you need a list of what data you collect, how its stored, who has access, etc. as well as how long it should be kept for. As others have mentioned you also need a public process in place for people to get copies of their data and to request data be amended/deleted. You don't necessarily have to do this (in particular any legal or regulatory requirements supersede an individual's right to their data) but you need to give people a way to ask. That of course means actually having an audit of what data you keep on people and why you keep it (to distinguish between contractual ones, legal requirements and the more marketing oriented ones).

Back to the lawsuits, the ICO in the UK and other EU agencies have been quite clear that they don't really expect companies to be fully compliant. What they do expect is companies to be actually working towards compliance. These lawsuits are likely picking up things FB or Google have missed and will probably result in them getting audited and having to show that this is something that they had plans to fix/implement or it's an oversight that they do actually rectify.  Where it gets a bit complex is things like whether you are a processor of sensitive data. In some cases this is obvious, hospitals, etc. have sensitive data. But it also includes biometric data, so is facebook a processor/controller of sensitive data?

I'm not surprised that charities are the most compliant, they're probably the organisations most used to dealing with sensitive data and generally staffed by people who take their legal obligations pretty seriously.

"Look at my car. Do you think that was bought with the earnest love of geeks?" - HaemishM
Ironwood
Terracotta Army
Posts: 28240


Reply #32 on: May 30, 2018, 05:40:56 AM

Who do you work for again, Ironwood?


I'm a Cloud Architect for a Microsoft Gold Partner in the UK.  It's truly exciting.  Somedays I can barely help myself from contemplating the sweet release of death.

"Mr Soft Owl has Seen Some Shit." - Sun Tzu
Polysorbate80
Terracotta Army
Posts: 2044


Reply #33 on: May 30, 2018, 01:49:28 PM

Who do you work for again, Ironwood?


I'm a Cloud Architect for a Microsoft Gold Partner in the UK.  It's truly exciting.  Somedays I can barely help myself from contemplating the sweet release of death.

So are you technically stll even a European?  awesome, for real

Shittalking aside, where does Britain fall in all this with Brexit?

“Why the fuck would you ... ?” is like 80% of the conversation with Poly — Chimpy
Count Nerfedalot
Terracotta Army
Posts: 1041


Reply #34 on: May 30, 2018, 06:19:00 PM

Not that this will help Americans.  The government is one of the worst offenders. Some f*ing state Driver's License Offices (and I think the U.S. Post Office?) happily sell address info to any and every one who is willing to pay a few pennies per for it. As do some grocery/department store loyalty programs, etc. Sheeple gotta remember, if you aren't paying for it or are getting something for nothing, then guaranteed *you* (usually your attention/eyeballs) are the product.

I do wonder where the line is between a phone book and unreasonable use and distribution of your personal information though. It's there somewhere, but how do you define it?

Yes, I know I'm paranoid, but am I paranoid enough?
Pages: [1] 2 Go Up Print 
f13.net  |  f13.net General Forums  |  General Discussion  |  Topic: The GDPR and You  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC