Kitz Forum

Chat => Chit Chat => Topic started by: broadstairs on May 15, 2018, 10:51:11 AM

Title: GDPR - again - is this right?
Post by: broadstairs on May 15, 2018, 10:51:11 AM
My wife has just come home from her hairdressers and told me she has had to complete a long form for GDPR. I am somewhat surprised for two reasons, first the only information they have is a phone number and second they don't use computers, it's all on paper and even their appointments are kept in a book and written in pencil because it's easy to change.

Has the owner been badly advised or does GDPR extend to paper records as well? If it extends to paper records how is one supposed to keep a back up and keep them safe? Does the lady in this case need a fireproof safe bolted to a concrete floor!

Stuart
Title: Re: GDPR - again - is this right?
Post by: lloyd on May 15, 2018, 01:05:41 PM
It does apply to paper records (as the old Data Protection Act also did).
Title: Re: GDPR - again - is this right?
Post by: g3uiss on May 15, 2018, 10:28:47 PM
I can confirm that. There is no implication of the inclusion of any paper based record keeping.

Tony
Title: Re: GDPR - again - is this right?
Post by: sevenlayermuddle on May 16, 2018, 12:37:04 AM
The ‘long form’ would probably have been her signing consent to their use/abuse of the data they already held, or might hold in future.  It is a valuable business asset, even for a harmless small local hairderessers.  Who knows, they might one day be taken over by a more evil hairdresser chain, who would factor the value of that data into the takeover negotiations?

If so, she would have had no obligation whatsoever to complete the form.   All she had to say was ‘no’.

The magic of GDPR is that explicit consent is now needed for spammers to hold your data.   This supercedes the ‘implicit’ consent of days gone by, when simply booking a hairdresser’s appointment could be regarded as “deemed” consent, after which the hairdresser could spam you and/or sell on your data to 1001 other spammers, as well as future owners of the business.

I do hope she said ‘no’?
Title: Re: GDPR - again - is this right?
Post by: broadstairs on May 16, 2018, 07:35:46 AM
The only information they have is a home phone number, nothing else, reasonable for them to have that in case an appointment has to change.

One thing I did find a little strange was that they told my wife that they can only cut hair for an under 16 year old with explicit parental permission.

I find the whole ting rather ridiculous and simply do not believe it will actually make a difference especially as it can only be enforced within the EU. I am not convinced it is anything more than red tape which is costing companies a load of time and money.

Stuart
Title: Re: GDPR - again - is this right?
Post by: sevenlayermuddle on May 16, 2018, 08:24:26 AM
My understanding was that data used as a contractual necessity did not require consent.   I’d have thought that using the phone  number to change an appointment qualified, as a contractual necessity.   They may however need to have a process for deleting it after a reasonable time, and maybe that gets hard with paper records held in a single big appointment book?

GDPR only applies under EU law, but it applies to companies based in Europe as well as customers based in Europe.   I understand Facebook having HQ in Ireland, were faced with GDPR affecting world wide.   Unsurprisingly, they have reorganised to avoid it - will apply to EU users, but they can continue as before with users elsewhere.

Title: Re: GDPR - again - is this right?
Post by: kitz on May 16, 2018, 12:00:35 PM
I think a lot of it is not very clear and open to misinterpretation.   Problem is that everyone says you need to consult a lawyer, so for smaller businesses they may be erring on the side of caution.   

I've spent days trying to get my head around everything.  I think the main site is now sorted but the forum still has some odds and ends I need to finish off and for which I'm still not sure about.  I too wondered if I would be affected on certain aspects (eg age consent / right to be forgotten / data portability) and I have a thread elsewhere with long ongoing debates by many others who have now got involved. 

Some of these are extremely hard to implement - for example does posts on forum count as data portability, then some bright spark brought up PMs which definitely would be impossible as we as admin don't have access to.   

The IP address as personal data is ridiculous, because only the ISP's can tie this up to a person, yet forum software needs to record IPs for security.   As it stands atm my thread has triggered SMF to seek proper legal advise so I'm waiting to see what they come up with, because atm there's an awful lot of forum owners not knowing where they properly stand.

You will notice I too have possibly gone for overkill by deleting data such as location, age and reset everyones email contact and perhaps my new policy says more than it needs to, but I'm erring on the side of caution.

The problem is, there will still be many websites out there that aren't compliant and I doubt that anything will happen for a while..  and even worse scammers will just totally turn a blind eye to it and ignore everything. 
Title: Re: GDPR - again - is this right?
Post by: Ronski on May 16, 2018, 01:27:16 PM
There's certainly been some panic where I work, filing cabinets locked that never have been, we've been told to delete anything that is no longer relevant as well. Also have someone coming in on Friday to advise.
Title: Re: GDPR - again - is this right?
Post by: sevenlayermuddle on May 16, 2018, 03:49:01 PM
I do sympathise with small businesses, and of course, with harmless and well-intentioned forums.

But I do think that GDPR will solves some real problems.

A few months ago, I booked a stay in a UK hotel, part of a large and respectable chain that I’d not used before.  When checking in, I made sure to tick the box saying words to effect of “no spam please”.  A few weeks later, the spam started flooding in... special invitations for weeken breaks in the chain’s other hotels.  >:(

I complained, pointing out that I had never consented to this spam.   It turned out, buried in the T&C on the online booking page, words to effect of...  “by using this booking service you are deemed to be consenting (to spam)”.  The “deemed” consent also included permission  to have my data passed on to other organisations.

My understanding is that a big part of GDPR is about outlawing such ridiculous “deemed consent”. Consent now needs to very explicit, and the hoteliers and other spammers must be able to prove that genuine consent was freely given.      “Deemed consent” like this, whilst very common, always was a very dubious business tactic, and I am glad if GDPR puts an end to it.

But repeat again, sympathies for those affected by GDPR, but who were never doing anything bad in the first place.  I can’t help thinking that these are unintended consquences, but that doesn’t make them go away. :(
Title: Re: GDPR - again - is this right?
Post by: broadstairs on May 25, 2018, 11:30:58 AM
I'm today having a 'frank and meaningful conversation' with a supplier who I used ages ago and now will not allow me to close my account because it deletes my purchase history! I don't believe this is correct with GDPR. I can remove some information but not delete the account.

Stuart

PS. They've just told me they do not have to allow account deletion under GDPR rules which I believe is cr*p.
Title: Re: GDPR - again - is this right?
Post by: sevenlayermuddle on May 25, 2018, 12:05:30 PM
One good reason to avoid traders that require an 'account' to be opened?   Sadly, that's not always possible, I wonder if GDPR might make it easier in future?

That said, my assumption would also have been for GDPR to facilitate closure of dead accounts, providing sufficient time has elapsed that the account data is no longer needed for business accounting or other legal purposes.
Title: Re: GDPR - again - is this right?
Post by: chenks on May 26, 2018, 07:01:09 PM
so with GDPR how does that affect forums and inactive/users who no longer want to use it.
can someone now request that their account be totally removed/deleted and all posts be removed?