This has been an exceptional week on DiS so far and it’s only Wednesday.
And I thought my project was boring!
Not sure why this subject is so maligned, I think information rights/data protection etc/ is quite an interesting area. Then again, I work in information governance so I am biased
It’s true that many public organisations are ill-prepared for this. The organisation I have recently joined appears to have been perpetually screaming ‘what the fuck do we do?!’ for the past 18 months.
all organisations are doing this (due to the lack of specifics)
or they should be
It’s a nightmare for us and we’re only looking at it in case our customers want us to change our software to meet this compliance.
This site has the ability to anonymise any user. I guess we might have to consider doing that for any permanently banned member in future for safety reasons. I don’t really know what happens if you do that to a user who’s active, though. I think it only comes up when you’re banning them.
But it seems like it really requires a rewriting of so much of the way software actually works. I mean a relational database by its nature is linking lots of stuff together so enforcing unique keys via things like phone numbers and email addresses is pretty standard.
Does GDPR cover phone numbers? I haven’t been involved in the discussions much but if so I wonder what effect that might have on WhatsApp since this is based on using your number as your account’s unique ID.
There’s plenty organisations could/should have been doing long before this. Information management in public orgs is generally terrible (partly due to lack of funds).
It covers phone numbers, IP addresses…even ‘anonymous’ data if you can identify an individual person.
I work in the charity sector and am fairly confident in saying that it’s probably going to completely destroy the income streams of quite a few organisations.
Seems like only a few of the bigger charities are ready for it, and even they’re talking about losing really significant numbers of supporters because they can’t contact them and past donations don’t seem to count as consent.
I’ve heard figures of up to 80% of databases no longer being contactable, which will absolutely devastate income, and therefore the ability to provide services. Probably right around the time the economy starts crashing due to brexit and more people than ever need those services.
There’s also tons of confusion over what is and isn’t considered legitimate interest, meaning who you could go back to if you had a previous relationship. And the guidance generally seems to be “we’re not telling you what you should do, but if you get it wrong we’ll fuck you up.”
TLDR: if a charity you support gets in touch asking if they can contact you in future, reply saying yes because they’re really going to need all the support they can get.
I’m not as pessimistic as that - Legitimate Interest seems to be fair. Benchmarking it at if someone’s given you some money (crudely put) in the last 2 years seems like a sensible strategy post May 2018.
The real shitstorm will come later on when the first ICO rulings happen. Like if someone who gives £100 a month and has done for years to BIG CHARITY and complain to the ICO about it and the charity cites Legitimate Interest in response and the ICO still says ‘nope - here’s a fine for £200,000’ then… yeah everyone might be fucked.
20 million or 4% of Global revenue as a possible fine as well.
Seriously doubt they’ll be hitting charities with 20 million fines for something like that.
I really, really hope you’re right, but I currently work at one of the big, household name charities and we’ve been advised - by both our legal team and an agency that’s working on this with a lot of organisations across the sector - that legitimate interest carries to mail and phone (for now - the feeling is phone is next to go), but not to SMS and email. So any implicit opt-ins or previous relationships for those channels don’t count, even if they’re actively engaging with you and have, for example, given money or signed a petition or whatever via those channels in the past few months/years/whatever.
So that means there’s a need to go back and gain explicit opt-in from people for those channels, and of course very, very few people will actually read, let alone respond to any communication they get, but particularly one asking for consent. And once you’ve asked and they’ve ignored you… post-May, they’re gone, unless you can get them to opt-in to those channels via another channel, for which you already have either LI or consent.
What concerns me re: the ICO is that they seem to threatening serious punative action if someone gets it ‘wrong’, but won’t actually say what ‘right’ or ‘wrong’ actually look like.
Anyway, I’m not a legal expert by any stretch of the imagination, so just going off the advice we’re being given by various parties. My hope is that everyone’s just freaking out and it’s not going to be as harsh as expected. But my point about opting in to charities you support - that definitely still stands!
Well you would hope no, but that’s the fine ruling.
It’s tedious and have a meeting every week on it. Although this week have had 3.
That’s the max fine, yes. They already dish out varying fines depending on severity of breach or other non-compliance. Would imagine it’ll remain the same under GDPR. There’s always the fear that they’ll make an example of someone early on though!
Yes you’re quite right re: text and Email. I guess I was looking at it from the perspective of smaller orgs which are still heavily, even solely, mail dependent for donation income from individuals. Not as scary a deal as first figured for them but yeah bigger organisations that have a more mixed-channel ‘product portfolio’ if you want to call it that will be more affected.
And, again, you’re totally right that opt-in is the best way to be insulate yourself against the worst effects. Provided that your permissions statement is worded correctly
The ICO have been making an example of charity breaches of DP regulation for a couple of years now. Ever since that 90-year-old poppy seller committed suicide and somehow charity direct mail was elevated in the tabloids to the cause… (a charge strongly rebuked by her family).
So you can guarantee the first breach that comes to the ICO via a charity communication they’re going to go scorched earth with it.
Fair play. I’m unfamiliar with the charity sector and am unaware of those rulings. Just generally across the organisations i’ve worked in i get the feeling people have taken the piss with the DPA and a change like this has been needed, so i find myself a little more positive about things than others are.
The ICO has never applied the max fine under the DPA (500k) so it seems unlikely these organisation destroying fines are actually going to be dished out. Could be wrong though!