… so it’s not really a solution, is it? Sigh ….
In reality, the rules are about protecting people’s personal information (and rightly so, in my opinion), not disrupting business.
So, if you do collect people’s data (emails, credit card, age, etc), you have to look after it carefully.
And if someone in the EU asks for a copy of the data you hold, you have to send it to them.
From the Regulator:
Some of the myths we’ve heard are, “GDPR means I won’t be able to send my newsletter out anymore” or “GDPR says I’ll need to get fresh consent for everything I do.”
I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust another myth.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
1) If you are, for example, offering affiliated items / services, (e.g. you’re an Amazon affiliate) you are most unlikely to be collecting any information at all - you merely pass the customer to Amazon or whomever.
2) “… consent is not the only legal basis for holding data …” says the UK’s regulator (the ICO). “Legitimate interest may provide better grounds when an organisation doesn’t want to bother (people) with disruptive requests when they are unlikely to object to the (hosting of the data”.
A good example of this is my newsletter!
You’ve asked me to send it to you, supplying your email and your name (nothing else).
You know what you’ve sent me and why.
I don’t need to send you endless emails asking your permission again - you’ve already given it to me (and, of course, you can unsubscribe at any time.
Similarly, if you’re a Tetmo.com client, I don’t get your credit card details - Stripe/ PayPal takes care of that for me.
- the processing is not required by law but is of a clear benefit to you or others
- there’s a limited privacy impact on the individual
- the individual should reasonably expect you to use their data in that way, and
- you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Bedtime reading (!)https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
Oh, and all these claims that you will get a 20 million fine for not “registering”?