New Data Protection Regulations

Agencies and other headaches, keys and cleaners, running costs and contracts...in short, all the things we spend so much of our time doing behind the scenes.<br>
Ian H
Posts: 6
Joined: Wed Mar 21, 2018 1:01 pm
Location: North Wales, UK
Contact:

Post by Ian H »

This is my understanding.

If you are sending them emails to finalise a booking they have made (i.e. sending key pickup instructions, chase final payment etc) then you can send those emails as they are required per the contract you have with them. So you have a lawful basis under GDPR (there are various lawful basis in addition to them giving consent).

From a marketing perspective....

You would not be able to market to these people in the booking process currently in future unless you asked for their consent to do so at some point in the booking / enquiry process. Note consent has to be an actual opt in from them i.e. a box they tick ON and has to detail what they are consenting to. Not some consent hidden in small print and you can't use consent given for one purpose as consent for another purpose.

If they are people who have contacted you in the PAST and you want to continue marketing to them then you would have to reconfirm and get consent prior to 25th May that you can continue to market to them. Hence why you are probably being inundated with emails at the moment "we want to keep in touch" etc. Once you hit the 25th you can't market / contact them unless they have given you explicit consent to do so. And you need to be able to prove consent was given.
SusanMay
Posts: 125
Joined: Sun Jan 29, 2012 6:23 pm
Location: Dorset

Post by SusanMay »

Thought I'd check if Wave Invoicing is compliant with GDPR. I came across this thread:

https://community.waveapps.com/discussi ... -with-gdpr

Pertinent sentence from May18th "We have taken steps to identify areas of improvement and are working towards full support of GDPR. Though we can’t yet say with certainty when we will fully support GDPR, we will share that information with our customers when it’s available."

So I suspect they are not going to be compliant for the 25th. Rather wish I hadn't looked.

What do Waveapps users think of this?
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

Jenster - a couple of thoughts on your statement.
You say that your legal basis for processing is Contract. That basis doesn’t apply to all aspects; your retention of data for the 6 year period is Legal Obligation, your collecting data for website performance analysis is Legitimate Interest. I assume you don’t use a mailing list.

One horrible thought that occurred to me this morning, which is related to your statement re cookies that “no personal data is collected”. Like many, I use Google Analytics. GA uses cookies, and collects IP addresses which are under the heading of personal information for GDPR. Google also processes the data, so it’s being passed to them...
From a bit of research so far it looks like a can of worms, with varying views and suggestions that we need to allow website visitors to easily opt out of the GA cookie collection (and I’d guess that would be a majority), and other topics that seem to suggest that using GA or similar is going to be a big issue.

Just when I thought I’d almost got there... :roll: :roll:
newtimber
Posts: 1945
Joined: Sat Nov 24, 2012 5:57 pm
Location: Brighton
Contact:

Post by newtimber »

greenbarn wrote:Like many, I use Google Analytics. GA uses cookies, and collects IP addresses which are under the heading of personal information for GDPR. Google also processes the data, so it’s being passed to them...
You should be specifying that the IP addresses are anonymised so that they aren't identifiable with anyone in particular.
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

newtimber wrote:
greenbarn wrote:Like many, I use Google Analytics. GA uses cookies, and collects IP addresses which are under the heading of personal information for GDPR. Google also processes the data, so it’s being passed to them...
You should be specifying that the IP addresses are anonymised so that they aren't identifiable with anyone in particular.
I don’t think GA does that by default? I’m in the process of trying to find out how to do it and so far been directed to stuff about javascript... do you happen to know if there’s a simple setting?
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

I’ve looked a bit further now and found this which is a useful start.

There’s an extra line you need to add in to your GA tracking code on the website to anonymize IP addresses.

This is the code, which I think I’ve added in the correct place... gtag('config', '<GA_TRACKING_ID>', { 'anonymize_ip': true });

For users of the WP plugin Monster Insights (which uses GA), there’s a much simpler selection in their config.

If only I’d listened to my mother and become a brain surgeon... :roll:
SusanMay
Posts: 125
Joined: Sun Jan 29, 2012 6:23 pm
Location: Dorset

Post by SusanMay »

Thanks Greenbarn.

For Wordpress users with the Google Analytics Dashboard for WP plugin (by ExactMetrics) who want to do this then from your dashboard select, under Google Analytics, Tracking Code. The select the Advanced Settings tab and toggle the button "anonymise IPs while tracking" to On.

Apparently this isn't set to 'on' by default but when I check mine it was already on...
Jenster
Posts: 454
Joined: Tue Mar 08, 2016 8:24 am
Location: Cornwall
Contact:

Post by Jenster »

greenbarn wrote:Jenster - a couple of thoughts on your statement.
You say that your legal basis for processing is Contract. That basis doesn’t apply to all aspects; your retention of data for the 6 year period is Legal Obligation, your collecting data for website performance analysis is Legitimate Interest. I assume you don’t use a mailing list.
Thanks Greenbarn. No I don’t use a mailing list. I used to but found I couldn’t be bothered so have now deleted it.

I didn’t know you could specify more than one legitimate interest - the ICO website suggests you have to pick just one (‘with care’). So I just went with the main one that applies. But I can see what you suggest makes more sense.
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

Jenster wrote:
greenbarn wrote:Jenster - a couple of thoughts on your statement.
You say that your legal basis for processing is Contract. That basis doesn’t apply to all aspects; your retention of data for the 6 year period is Legal Obligation, your collecting data for website performance analysis is Legitimate Interest. I assume you don’t use a mailing list.
Thanks Greenbarn. No I don’t use a mailing list. I used to but found I couldn’t be bothered so have now deleted it.

I didn’t know you could specify more than one legitimate interest - the ICO website suggests you have to pick just one (‘with care’). So I just went with the main one that applies. But I can see what you suggest makes more sense.
I think the idea is that for each of the reasons for which you process data (booking management, tax, etc) you choose only the most appropriate basis for that particular reason (and state it). I came across some (very lengthy) sample statements from “legal experts” that did exactly that.

The statement must be written in a way that is clear and easily understood. So nothing like the ICO website, then...
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

SusanMay wrote:Thanks Greenbarn.

For Wordpress users with the Google Analytics Dashboard for WP plugin (by ExactMetrics) who want to do this then from your dashboard select, under Google Analytics, Tracking Code. The select the Advanced Settings tab and toggle the button "anonymise IPs while tracking" to On.

Apparently this isn't set to 'on' by default but when I check mine it was already on...
That sounds like a WP plugin that’s worth a look - Thanks!
User avatar
greenbarn
Posts: 6146
Joined: Sat May 30, 2009 6:41 pm
Location: The Westmorland Dales, Cumbria

Post by greenbarn »

Jenster wrote: No I don’t use a mailing list. I used to but found I couldn’t be bothered so have now deleted it.
Over the last couple of weeks I’ve been seriously wishing I did that about 6 months ago...
After a while I found the biggest issue I had with using Mailchimp was an overpowering desire to rip the head off that grinning idiot monkey in the hat, and the frustration of not being able to do it... :evil:
Joanna
Posts: 1091
Joined: Thu Aug 23, 2007 3:12 pm
Location: Chester, North West England & Sidmouth, East Devon
Contact:

Post by Joanna »

Here's a useful explaination of GDPR aimed at WordPress users but relevant to most web sites:
http://www.wpbeginner.com/beginners-gui ... =gdprguide
Jo

Joint owner of Baker's Cottage in Chester & Chandler's Cottage in Sidmouth
stork
Posts: 332
Joined: Fri Jan 07, 2011 3:18 pm
Location: Algarve
Contact:

And emails?

Post by stork »

I have looked a bit around as well, and my biggest doubt is what to do with your old emails? Most of the information of most people's bookings/enquiries can be found there, but cleaning out the whole lot?

I have found that you are generally not required to go back and delete in backups: https://www.acronis.com/en-us/blog/post ... mendations.

And we are for sure going to use PIMS anonymising feature.
Jenster
Posts: 454
Joined: Tue Mar 08, 2016 8:24 am
Location: Cornwall
Contact:

Re: And emails?

Post by Jenster »

stork wrote:I have looked a bit around as well, and my biggest doubt is what to do with your old emails? Most of the information of most people's bookings/enquiries can be found there, but cleaning out the whole lot?

I have found that you are generally not required to go back and delete in backups: https://www.acronis.com/en-us/blog/post ... mendations.

And we are for sure going to use PIMS anonymising feature.
I have deleted all old emails from enquiries (fairly easy as I kept them in a separate folder). I don’t need them anyway. For bookings I have just stated that details may be held in a secure email account as well as in my booking software. I don’t think people have a right to be forgotten if you have a legal or contract basis for keeping their details, as you need them for very valid reasons (to keep in touch about their booking or legal tax records).
Joanna
Posts: 1091
Joined: Thu Aug 23, 2007 3:12 pm
Location: Chester, North West England & Sidmouth, East Devon
Contact:

Post by Joanna »

Jenster - that's how I understand it too. Stork's link explains it quite well - you don't have to delete data in old backups if that would also delete other data that you have a legal requirement to keep eg accounting info that has to be kept for 6 years.
Jo

Joint owner of Baker's Cottage in Chester & Chandler's Cottage in Sidmouth
Post Reply