Is GDPR good or bad for the internet?

Forum Forums General chat Is GDPR good or bad for the internet?

This topic contains 17 replies, has 9 voices, and was last updated by  GGG 6 months, 2 weeks ago.

  • Author
    Posts
  • #438

    Kerry
    Participant

    Is GDPR a good or bad thing? How does it even work? And will it mostly impact small businesses online or the big players?

  • #439

    jimmy
    Participant

    I think it is great news, businesses can only keep information on you if you agree and they have a valid business reason. To send advertising to, doesn’t appear to be a good enough reason. It effects big business more than little business, as most little businesses don’t hold much information on people.

    I have done some work around a membership database for a small business and we have had to make a few changes, such as it will remove anyone that hasn’t been to the business in the last 3 years, we couldn’t find a decent business reason for keeping them, but big business don’t think like that.

    • #444

      Kerry
      Participant

      I agree, I was quite worried about getting my sites GDPR compliant at first after reading all the rules that were very hard to understand not being a lawyer and all…and something only big company’s could do. but thanks to latest wordpress update its made things a breeze (even if I still don’t know fully how the GDPR laws actually work).

    • #445

      orange
      Participant

      Firstly, I think it’s a good thing – although it’s a bit of a headache for many businesses just now.

      I think it is great news, businesses can only keep information on you if you agree and they have a valid business reason.

      Not quite – it’s if you agree (consent) OR they have a valid business reason (contractural obligations, legal compliance, “legitimate interest”).

      To send advertising to, doesn’t appear to be a good enough reason.

      Whilst it’s probably bad practise, opt-in consent is not required for sending advertising by mail (rather than, say, by email or text). It’s also still OK to do untargetted, unaddressed drops of leaflets or the like.

      It effects big business more than little business, as most little businesses don’t hold much information on people.

      Not true, I’m afraid. Or, at least, it depends on the business. A lot of small to medium sized businesses rely heavily on marketing to their existing customer base.

      I have done some work around a membership database for a small business and we have had to make a few changes, such as it will remove anyone that hasn’t been to the business in the last 3 years, we couldn’t find a decent business reason for keeping them, but big business don’t think like that.

      The thing about it is that, if you’re already doing things properly, you probably aren’t going to have to make a lot of changes (although it’ll prompt you to check everything and sort out flaws in current procedures – which is good).

      • #466

        jimmy
        Participant

        Thanks for the correction. On the upside leaflet drops are much less effective and they don’t have to know anything about a person, it is a whole street thing rather than targeted. If they rely that much on targeting their user base, then wouldn’t these people appreciate the advertising and as such opt-in for future adverts?

        It is great that it is making people do things properly, the business I was working with (technical side, not as a GDPR person) had only been around for 5 years but had never done a clean up of information, so some customers had only visited once 5 years ago but were still in a database. It is good that this cannot pass as okay now.

    • #464

      Spotty
      Participant

      I think it is great news, businesses can only keep information on you if you agree OR they have a valid business reason.

      Recognising you as a potential customer is sufficient reason to keep your email address indefinitely. Keeping your DOB is a whole different level of detail and requires either:

      a) a statutory basis, or

      b) your consent.

    • #475

      GGG
      Participant

      Most of what you do with historical data, you can still do, provided you use anonymisation/pseudonymisation techniques. It’s actually easier to do that under GDPR than it used to be with the previous regulations.

  • #440

    Bel
    Participant

    The first causality to GDPR looks as though it is WHOIS information… Good news I guess as no longer have to worry about getting spam from people harvesting whois contact details or paying extra for private whois.

    • #441

      jimmy
      Participant

      You might get less spam due to WHOIS information but bear in mind that unless you are wise enough to publish your business address on your website a lot of us are unlikely to get involved in buying anything off you.

      • #442

        Bel
        Participant

        Good point. Bots have made my shy away from doing that too my detriment, so I need to find a way to include more contact information without being spammed as im guessing spammers arent too fused about laws.

  • #465

    mandy
    Participant

    I absolutely love it.

    Over the last few weeks I’ve had a constant stream of e-mails asking permission to keep spamming me and to keep my details. No no no.

    Sitting on the other side it seams like those of my colleagues who deal with this just have to do it properly and can’t be lazy anymore.

    Did I say I love it. I think the entire internet may speed up due to the drop in traffic.

  • #467

    Kerry
    Participant

    I did read today on another forum that people are plotting to make money out GDPR, hunting for sites that aren’t compliant and suing them? I can imagine ambulance chasing lawyers doing this.

    • #468

      Spotty
      Participant

      Oh please let me know where to register a complaint with these ambulance chasers?

      I can list at least a dozen recruitment companies that seem to think that they can legally keep me on their database because they need to render a “service” that I have been trying to get away from for five years: offering me obscene amounts to move back to London.

      Their updated terms assumed my agreement (which is not legal, yes?) and didn’t provide an easy way to opt-out. (Wasn’t it supposed to be “opt-in”, now, not out?)

      • #469

        Kerry
        Participant

        I agree with you there I definitely have no sympathy for recruitment scammers and they deserve whats coming to them. I should of added I read this on a marketing forum which was filled of people frothing at the mouth at the thought of being able to sue mom & pop sites over offences. I imagine there are plenty of small businesses across uk that haven’t updated their sites in years who could fall prey to vultures.

      • #474

        mat11
        Participant

        Depends on what their chosen “lawful basis for processing” is. There are differing opinions about whether or not recruitment is a function that can process personal data on the basis of “legitimate interest” ie without consent. It looks like the better informed sources agree that legitimate interest is not justifiable* and that consent is the sole lawful basis that can apply between a recruiter and a candidate. Consent, as you surmise, must be actively given by the data subject (at a minimum, by ticking an empty checkbox on a web page – but preferably something a bit more ‘active’ than that) and recorded by the data controller so that they can prove consent was obtained if challenged. They absolutely cannot just assume consent. (The company I work for has opted for actively obtained consent as the lawful basis for its recruitment team, thankfully.)

        Regardless of whether or not they think they need your consent, you always have the right to object (GDPR Article 21) and the right to erasure (aka “the right to be forgotten”, GDPR Article 17). In theory you can communicate your wish to exercise these rights via any reasonable communication channel, and to anyone within the organisation. However, the most direct way will usually be to e-mail their Data Protection Officer – whose contact details they should have provided as part of the updated Privacy Notice you say you have received.

        If you ask them to stop pestering you and they don’t, or if you believe they are failing to comply with the law in any other way, then you should report them to the ICO (www.ico.org.uk). The ICO can levy heavy fines if they find that the organisation is in breach of the law (but you don’t get any of that).

        * The ICO has published guidelines explaining how this can be assessed: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/

    • #473

      mat11
      Participant

      I did read on another forum that people are plotting to make money out GDPR, hunting for sites that aren’t compliant and suing them? I can imagine ambulance chasing lawyers doing this.

      I’m not sure how that would work. AIUI you would have to demonstrate some kind of detrimental impact eg a monetary or reputational loss in order to sue successfully. A private individual can’t make money out of criminal or regulatory fines levied on an organisation that fails to comply with the law.

      If an organisation is stupid, careless or lax enough to allow a breach that genuinely does end up having a detrimental impact on one or more individuals then I would have little sympathy.

  • #470

    Liam
    Participant

    It’s a massive pain in the arse, but is probably a good thing overall. There plethora of notification emails from every company that’s harvested my work email addresses is a constant reminder that the change is looming and that anyone processing info needs to look into it. There are a lot of people who are shockingly carefree with other people’s info – recently I was CC’ed into an email along with a few hundred others to share a spreadsheet of wildlife logging data… the same spreadsheet also had the names, addresses, DOBs and even car registrations of most of the recipients.

    It’s a clusterfeck but will probably make people aware of the responsibilities they already had under the existing data protection regulations.

    What’s on the other side of the change though? Will the hundreds of thosuands (millions?) of small businesses not registered with ICO get a knock on the electronic door? What about all of those sports clubs and small charities that have ignored it because Doris the Secretary only checks her emails once a quarter? There undoubtedly will be fines and penalties for not getting up to speed (plus the ambulance-chasing of those hunting for non-compliance), but where will they land?

    Free SSL services like Let’s Encrypt are probably experiencing a huge bump in traffic this week (the ICO website keeps crashing too) and GDPR is currently a trending topic.

  • #476

    GGG
    Participant

    GDPR is a great thing but the data protection bill implementing it in the U.K. is an absolute disgrace.

You must be logged in to reply to this topic.

Skip to toolbar