[BNM] GDPR shenanigans

Tristan Bailey tristanbailey at gmail.com
Mon Aug 9 12:24:14 BST 2021


Hi

I like the replies given and we too would recommend keep a “removed” list of emails so that they are blacklisted from sending out if we can’t delete some parts that are for business use. Or if they could be accidentally added back by an automation. 
I’ve not had to deal with customers and legal around when someone signs up again and their feeling as to if they should see a blank interface or it remember some of their non personal account settings. I think there is a business case and personal data for a lot of these different fields. 
Legal case for storing data for your industry is prob more important than gdpr for creating issues for your company but having data that is out of process would be a better way to deal with it. 
So like was said have it written down and reviewed every few months not just different memebers or staff doing different amounts of cleaning. Then have also the steps for how you will learn and review your mistakes as things change and you can’t plan for it all. 

Would be interested to talk over coffee for anyone who has implemented the code for this on a larger system or to replace a system in a bigger company as not found much to read on how people are doing this work. 

Tristan 

Owner and Head of Development 
Holdingbay

https://holdingbay.co.uk
https://twitter.com/theholdingbay
skype: tristanbailey
email: tristan at holdingbay.co.uk 

... also host “The Cliff Notes Podcast” - manufacturing & digital intersection, since 2016

> On 5 Aug 2021, at 15:53, James Hedley <jim.hedley at gmail.com> wrote:
> 
> Hi Simon,
> 
> Delete everything you can permanently. Any data you need to retain should
> be defined and governed by a controlled document somewhere in your QMS. For
> me, when a customer exercises their right to be forgotten (Art.17) I will
> attempt to delete all of their personal data (everything we can find
> relating to that individual when searching the nominated structured
> systems; email system, CRM etc.) Data that we need to keep is detailed
> upfront, and for us is data currently subject to a legal hold, or data
> relating to a previous regulatory or non-regulatory complaint - this data
> is kept for 10 years as defined in our data retention policies and also in
> our published privacy policy. When having to keep that old complaint data,
> it is orphaned from the data subject's account and stored elsewhere, so the
> original account can be deleted.
> In reality, deleting local records will often leave a back-up or archive
> somewhere but if that data is out of reach of normal processing activities,
> that is normally fine. Some companies keep email addresses to stop you
> signing up for free trials, demanding to be forgotten, then resubscribing
> for a free trial again... some don't (looking at you Adobe) but as long as
> they're upfront about what they do and the processing is regarded as
> 'necessary and proportional', they're covered.
> 
> With regards keeping the details of the actual request to be forgotten, I
> keep the name, email address and timestamp of the request in a system that
> sits outside of our defined structured systems (so as not be in scope of
> future data subject requests itself) for a period of 3 years.
> 
> Advice to retain data outside of that defined above because 'it might be
> needed later' is the kind of stuff that gives me sleepless nights but I do
> work for a hugely risk-averse Swiss medical co.
> 
> KR
> Jim
> 
> 
> 
> 
> 
>> On Thu, 5 Aug 2021 at 14:37, Simon Early <simon.early at gmail.com> wrote:
>> 
>> listertians,
>> Can anyone help me out on this question?
>> 
>> GDPR - when you delete a record, must it be immutable and non-reversible? -
>> deleted is deleted
>> OR!
>> If requested by a court (for example) should you be able to restore the
>> data you have obfuscated? so, kinda not-quite-deleted
>> 
>> Isnt the whole point of GDPR that it's permanently erased?
>> 
>> confused!
>> 
>> * section 47(2) of the Data Protection Act 2018...*
>> 
>> 
>> https://www.legislation.gov.uk/ukpga/2018/12/section/47#:~:text=47Right%20to%20erasure%20or%20restriction%20of%20processing&text=(2)Where%20the%20controller%20would,personal%20data)%20restrict%20its%20processing
>> .
>> 
>> so we currently have 3 options for clients:
>> 
>> 1. retain and send me a copy
>> 2. delete and send me a copy
>> 3. delete
>> 
>> am I now to put in a 4th option of
>> 
>> 4. delete it but make it reversible if requested by a court ie make it
>> "un-processable"
>> 
>> help!
>> 
>> cheers,
>> Simon
>> ---
>> Simon Early
>> ▬▬▬▬▬▬▬▬▬▬ஜ۩۞۩ஜ▬▬▬▬▬▬▬▬▬▬
>> mob/whatsapp: 07539 733 173
>> New Forest
>> Skype: simonearly
>> ▬▬▬▬▬▬▬▬▬▬ஜ۩۞۩ஜ▬▬▬▬▬▬▬▬▬▬
>> --
>> 
>> BNM Subscribe/Unsubscribe:
>> http://lists.brightonnewmedia.org/options/bnmlist
>> 
>> BNM members often work together in the real world at:
>> http://www.theskiff.org
>> 
>> Join the BNM community on Slack
>> https://bnmslackin.herokuapp.com/
>> 
>> BNM powered by Wessex IT:
>> http://www.wessexit.com
> 
> 
> 
> -- 
> 
> 
> James Hedley
> 
> t:   07725 497538
> e:  mail at JamesHedley.com
> w:  http://JamesHedley.com
> -- 
> 
> BNM Subscribe/Unsubscribe:
> http://lists.brightonnewmedia.org/options/bnmlist
> 
> BNM members often work together in the real world at: http://www.theskiff.org
> 
> Join the BNM community on Slack
> https://bnmslackin.herokuapp.com/
> 
> BNM powered by Wessex IT:
> http://www.wessexit.com


More information about the BNMlist mailing list