GDPR - anyone here know much about it?

[seb]

As I think some of you know already, I develop, run and maintain a website that I came up with a few years ago.

Essentially I collate data from event organisers around the world, and put them all together. This means if Joe Bloggs has done 7 events that I have on the site, you can click onto his name and see those 7 events. There's no copyright on a set of data, only on how it's displayed, so this is all legal. 99% of event organisers that know about the site love it.

There's not currently any user registration or login on the site - the data is there for everyone to see. It's all data that is already available in the public domain (on various event organiser and timing companies websites), all I do is make it more useful/easy to find.

Photographers from the events upload their photos to my site to sell to the riders.

So far this has been pretty successful. It doesn't make a lot of money (no surprise there), but everyone LOVES it, I'm constantly getting praise from the site's users, which is nice.

I've always had an opt-out feature where anyone can email me and say they'd rather not have their race history visible, at which point I flip a flag in the database and suddenly their page is no more. They still exist in each individual set of results, but you can't click into their name to see their history. It becomes akin to viewing the official results wherever they reside on the internet already.

Most events' results just comprise of a list of age categories, position, rider ID, names and timing information. Some list sponsors, some list hometown. Some public results even have dates of birth on, though I never scrape those - the most I show is year of birth. I can definitely live with getting rid of things like hometown/year of birth if necessary, but obviously can't afford to lose the results themselves!

Is this business model still possible under GDPR, or should I be looking for a new line of work...?

I can email my existing users (those who have signed up for alerts or bought photos) and ask them to "opt in"... but that's only about 15% of the names on the site. I'd estimate that 70% of the names on the site have never even HEARD of the site, and another 15% know it and use it but have never given me any contact details.

I remember someone on the old forum saying something about there being "acceptable use" if it was essential to the running of the business. Do we think my site could qualify under that?

Thanks all.

Beany please don't hack me

[seb]

Looking at https://ico.org.uk/for-organisations/gu ... interests/, I feel that I'd like to qualify under this:

When might legitimate interests be appropriate?
Legitimate interests is the most flexible of the six lawful bases. It is not focused on a particular purpose and therefore gives you more scope to potentially rely on it in many different circumstances.

It may be the most appropriate basis when:

1) the processing is not required by law but is of a clear benefit to you or others;
2) there’s a limited privacy impact on the individual;
3) the individual should reasonably expect you to use their data in that way; and
4) you cannot, or do not want to, give the individual full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

1) yes - benefit to me and to almost all who find and use the site
2) yes - just their race results (although it worries me that that brings with it a list of where someone was on various dates!)
3) maybe...?
4) yes - I can't. I make it very easy for them to opt out if they DO object, but in many years I've only had a handful of people ask to be removed.

What does the forum think..?

[NotoriousREV]

If the named people have signed ts&cs with the event that says their data will be published, and you’re just reproducing publicly available information, you’ll probably be OK. The problem is that there’s no test cases yet so it’s hard to really interpret what will/won’t be acceptable. If this is your business, I strongly recommend getting proper legal advice. I’m Data Protection Officer at work and have been immersed in this for about 2 years along with our 2 person legal team and we still keep coming up with questions we don’t know the answer to.

[dinny_g]

If the named people have signed ts&cs with the event that says their data will be published, and you’re just reproducing publicly available information, you’ll probably be OK. The problem is that there’s no test cases yet so it’s hard to really interpret what will/won’t be acceptable. If this is your business, I strongly recommend getting proper legal advice. I’m Data Protection Officer at work and have been immersed in this for about 2 years along with our 2 person legal team and we still keep coming up with questions we don’t know the answer to.

All of this, (including doing nothing else for 2 years)

The organisers should be definitely be tightening up their statements.

How are you accessing the data, do you mind me asking?

Edit - you’re holding the data in your own database??

[seb]

Sometimes the organiser emails the results directly to me and I am in fact their way of displaying the results to the world. More often than not though I just scrape them from their website (or the timing company's website).

So yes, I hold the data in my own database. A few million lines of competitor information by now.

[dinny_g]

Then you should get some legal advice as Rev recommended. Lots of GDPR will likely apply to you

[NotoriousREV]

Sometimes the organiser emails the results directly to me and I am in fact their way of displaying the results to the world. More often than not though I just scrape them from their website (or the timing company's website).

So yes, I hold the data in my own database. A few million lines of competitor information by now.

So in the instance where they’re passing you the data and it’s not published elsewhere, they need to have an agreement in place with the individual that they can pass their data to you for publication (especially if they in the EU or the subject is an EU resident). They would be the data controller, you would be the data processor and you may need a GDPR compliant agreement between you in order for you to process it. Without this, your legal basis is flimsy.

Where you’re scraping, I think you’ll be fine as long as the data is generally available to the general public (ie you don’t need to be a member to see that data).

However, you do need to be able to respond to requests: Subject Access Requests, Right to be forgotten etc. Are you registered with the ICO as a business that handles data?

[Simon]

I’m Data Protection Officer at work and have been immersed in this for about 2 years along with our 2 person legal team and we still keep coming up with questions we don’t know the answer to.

I think you'll find someone put all the useful information on your desk some months ago, which you binned and subsequently denied all knowledge of when they emailed to ask if 'it was done yet'...

[Jobbo]

If you’re after legal advice then you’ve left it too late, to be honest. Our GDPR specialist is booked up for months already. Be wary of any solicitor claiming to specialise in it who has any capacity to advise you currently.

[NotoriousREV]

I’m Data Protection Officer at work and have been immersed in this for about 2 years along with our 2 person legal team and we still keep coming up with questions we don’t know the answer to.

I think you'll find someone put all the useful information on your desk some months ago, which you binned and subsequently denied all knowledge of when they emailed to ask if 'it was done yet'...

Nope. I have zero sense of humour when it comes to GDPR, given how much time it’s soaked up over the last 2 years.

According to our external legal advisors, I have the most comprehensive data audit and processes of any of their large corporate clients. It’s all the fucking edge cases that cause the problem. For example: you have a customer who has opted into your mailing list. Can you send them a marketing email than includes a promotion for a competition from a 3rd party for products that are tangentially related to your product? eg you sell skateboards but you and a shorts manufacturer jointly run a competition. GDPR wording seems to suggest you can’t but is fuzzy.

Another example would be a holiday company listing some tourist attractions with links to the websites for those attractions or local tourist boards, even when they’re not paid promotions. Again, GDPR maybe suggests you can’t do this but we want to know how far we can push things.

Legal interpretation is a minefield.

[NotoriousREV]

A great example of the interpretation is this: how many companies are emailing you now asking you to re-consent or refresh your consent? It’s unnecessary unless you were already in breach of the current DPA regs when collecting those email addresses originally. But loads of big companies think they have to do it, this decimating their contact lists as most people will take the opportunity to unsubscribe.

[JonMad]

I've also been looking at GDPR at work but as a reviewer of solutions, not a controller or processor.

A great example of the interpretation is this: how many companies are emailing you now asking you to re-consent or refresh your consent? It’s unnecessary unless you were already in breach of the current DPA regs when collecting those email addresses originally. But loads of big companies think they have to do it, this decimating their contact lists as most people will take the opportunity to unsubscribe.

I was trying to work out whether this was the case or not. Have you got a link to some explicit wording on it?

My wife's a hairdresser and whilst she has the contractual basis for storing PI for making appointments etc, I'm thinking we should get explicit consent for the odd marketing/'happy christmas' email or facebook message. A quick SurveyMonkey link in a short email that I drafted the other night should capture that painlessly enough.

Seb, you may also want to check any cloud services you use. Again, my wife uses a cloud service for appointment management so her customers' PI is held by them.

[dinny_g]

A great example of the interpretation is this: how many companies are emailing you now asking you to re-consent or refresh your consent? It’s unnecessary unless you were already in breach of the current DPA regs when collecting those email addresses originally. But loads of big companies think they have to do it, this decimating their contact lists as most people will take the opportunity to unsubscribe.

A fine case in point - our guidance is slightly different. Obtaining re-consent is advised if the initial capture was not "GDPR complaint" rather than not DPA compliant. Soft Opt in consent for example - was allowed under DPA but not under GDPR

I wouldn't be continuing to market to customers who's consent predates May 25th 2018 and who's consent wasn't provided by Positive Affirmative Action

[NotoriousREV]

A great example of the interpretation is this: how many companies are emailing you now asking you to re-consent or refresh your consent? It’s unnecessary unless you were already in breach of the current DPA regs when collecting those email addresses originally. But loads of big companies think they have to do it, this decimating their contact lists as most people will take the opportunity to unsubscribe.

A fine case in point - our guidance is slightly different. Obtaining re-consent is advised if the initial capture was not "GDPR complaint" rather than not DPA compliant. Soft Opt in consent for example - was allowed under DPA but not under GDPR

I wouldn't be continuing to market to customers who's consent predates May 25th 2018 and who's consent wasn't provided by Positive Affirmative Action

Soft opt in was fine, and is still fine under GDPR, e.g. a pre-ticked box, as long as the wording was clear, unambiguous etc.

[NotoriousREV]

Also, don't forget if you are using external services to store or process data that the data can't levae the EU without consent and a GDPR DPA in place e.g. Privacy Shield

[ste]

My take would be that you hold PID and like it or not you haven't asked for it and nor do you have authority to share it. It may be in the public domain elsewhere, but you're still holding it and presenting it.

I imagine a good first step would be a mailshot with opt-in via an action. ie. you can't assume people are in unless they opt out, you need to remove everyone and ask them to manually opt themselves back in. You then have an audit of permission to display that PID. Until you have full legal advice that would at least show that you've taken a sensible approach and an intention to do the right thing.

[dinny_g]

Soft opt in was fine, and is still fine under GDPR, e.g. a pre-ticked box, as long as the wording was clear, unambiguous etc.

so long as we're talking about processing on the basis of Consent (rather that one of the other legal basis's of processing), the ICO disagrees.

https://ico.org.uk/for-organisations/gu ... g/consent/

Asking for consent

☐ We have checked that consent is the most appropriate lawful basis for processing.

☐ We have made the request for consent prominent and separate from our terms and conditions.

☐ We ask people to positively opt in.

☐ We don’t use pre-ticked boxes or any other type of default consent.

☐ We use clear, plain language that is easy to understand.

☐ We specify why we want the data and what we’re going to do with it.

☐ We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

☐ We name our organisation and any third party controllers who will be relying on the consent.

☐ We tell individuals they can withdraw their consent.

☐ We ensure that individuals can refuse to consent without detriment.

☐ We avoid making consent a precondition of a service.

☐ If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

[NotoriousREV]

That's what an ICO checklist says, but it's not what GDPR says.

[NotoriousREV]

Also, don't forget: consent should be your last resort when it comes to legal basis.

[dinny_g]

That's what an ICO checklist says, but it's not what GDPR says.

OK from the actual regulation itself...

http://data.consilium.europa.eu/doc/doc ... NIT/en/pdf

Section 32 relating to consent...

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided."