It seems people in EU who made GDPR didn't think another legal aspect of this however: If you DON'T keep past communications, or if someone asks to Remove his/her data (which may be an email correspondence), then how can you PROVE in writing, that something did or did not take place with this person?
Little Cooking Tips - Blog - Is that really important? To my understanding you are only required to tell if you have data about someone or not. So your answer to a user would be something like: "we have no data about you. Either we never had or you asked us to delete them"
Hi Aidan! I mean something different, perhaps wasn't clear as much as I should. If you remove any communication with a person, because this person requested it (email and such), then how can you be safe from legal action/liability from this person? He/she may make false claims and you wouldn't have proof that you answered - in writing - to these claims. Moreover, does one keep the request for the deletion, that itself contains personal information? If not, then how - again - can one prove that he deleted information at someone's request? I'm honestly quite baffled by some of the logic behind GDPR.
Oh I see. As I understand, your "data protection implementation", i.e. all the softwares you use to collect/process/delete data, must create audit logs to keep track of every action of end users and privileged/administrative users. So basically, whatever happens to personal data (even data breach detection) must be written to audit logs which serve as a proof.
Haha! But that might be a breach of your data privacy... touche bureaucrats! It's like Schrödinger's cat, but for data. The data both exists and does not exist, until someone looks for it... and finds it in your bin.
This was very helpful. I am curious as to what steps/policies are in place for the USA & Canada? Someone informed me that GDPR is at the pinnacle of data protection and if your website is GDPR compliant it means your probably covered in the USA and Canada. Is this true?
No, you can send email related to the original interest. So if I registered on your website, you can send me email about registrations and my account. That's completely okay! :)
Is it ok to have your cookie policy, privacy policy and GDPR statement in discrete tabs at the bottom of your page for the visitor to click on if they choose and not in a pop up? I've seen so many web design sites do this, I assume because it's not intrusive for the visitor....is this ok?
Can these checkboxes be required? So that if you don't allow us to email you, you can't complete the registration? Also how about backups? If someone wants to be forgotten, it's very hard to erase his data from the aggregated backups
Hey Francesco, good question. If a legitimate interest exists - such as a registration - then sending an email without a consent 'tick box' is okay. In that case the data is being gathered out of necessity. Where it becomes an issue is if you then email that person anything that isn't related to the original registration action. So if you plan to 'market' to them after registration, then you must ask them if they're okay with that. You can do that on your form with a 'tick box' or in a following email that asks them to confirm the additional opt-in. Does that make sense? Backups are a big issue for all of us. It will mean disposing of older backups that contain 'deleted' users. We'd recommend a decay type policy whereby you as the data holder are given a grace period of say 30-days, to remove the user from backups. That means that if someone asks to be forgotten entirely, you have a little leeway on cleansing backup data, which is typically harder to get hold of and manage.
No you're fine, you could just exclude those people from all your cookies - but you'd still need to outline in your privacy policy what you're doing and what happens if someone from the EU sends you data (contacts you).
Now that is a good question and honestly, I'm not sure because that in itself seems like it could fall under GDPR... which is insane! How do you prove it if the person opted out and therefore left no footprint, other than an anonymous visit to your site (or similar)?
The cookie you store is not an 'online identifier'. if you are simply storing the preference of the user's consent (yes/no). There's no problem with setting cookies.
All I want to know is do I click yes or no! I’m very very new to this and I’m signing up with jvzoo and don’t know whether to say yes or no. Is your use of the JVZoo service regulated by GDPR?
Now that's an interesting question. I actually don't know the legalities around that but you're right, you can't just delete invoices! Safe filing system is a must but that leaves the question of what if you stop working with that person, can they then request you destroy their data (old invoices)? That wouldn't make sense because of legal accounting requirements.
Invoices are part of the justified purposes which are outside the scope of GDPR: _“if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …”_ However, GDPR applies right after the legal obligation ends. For example, if local laws require you to keep invoices for 12 years, you must delete them immediately after the 12 year period.
If we cover these 7 steps correctly then are we all good & legal? Theres so many snake oil salesmen out there asking for £250 to be GDRP compliant and filling out 100 page forms etc!!?
If you're unsure ASK the user to opt-in and be very CLEAR in your privacy policy: - how you collect data - why you need it / what you do with it - how you store it - how they remove themselves (contacting you is okay) - and how they can contact you (email address and/or person)
The EU should just stop using the internet for ultimate privacy. The people will need to search your bins to get your personal data, how safe would that be?
Couldn't I just host my website on a remote server in a normal country, like the US, or Korea, so I don't have to comply with these crazy EU dictatorship rules?
Amazing, such a comprehensive but short overview
What's that coming over the hill, is it a monster, is it a monster?
No, it's GDPR.
It seems people in EU who made GDPR didn't think another legal aspect of this however: If you DON'T keep past communications, or if someone asks to Remove his/her data (which may be an email correspondence), then how can you PROVE in writing, that something did or did not take place with this person?
Little Cooking Tips - Blog - Is that really important? To my understanding you are only required to tell if you have data about someone or not. So your answer to a user would be something like: "we have no data about you. Either we never had or you asked us to delete them"
Hi Aidan! I mean something different, perhaps wasn't clear as much as I should. If you remove any communication with a person, because this person requested it (email and such), then how can you be safe from legal action/liability from this person? He/she may make false claims and you wouldn't have proof that you answered - in writing - to these claims. Moreover, does one keep the request for the deletion, that itself contains personal information? If not, then how - again - can one prove that he deleted information at someone's request? I'm honestly quite baffled by some of the logic behind GDPR.
Oh I see. As I understand, your "data protection implementation", i.e. all the softwares you use to collect/process/delete data, must create audit logs to keep track of every action of end users and privileged/administrative users. So basically, whatever happens to personal data (even data breach detection) must be written to audit logs which serve as a proof.
Great video! Would you say this is all still relevant, or have there been changes that would apply here?
This list is great!! Thank you for making it simple
thanks Desiree! :)
Will they be checking my bins then?
Haha! But that might be a breach of your data privacy... touche bureaucrats!
It's like Schrödinger's cat, but for data. The data both exists and does not exist, until someone looks for it... and finds it in your bin.
Best to shred any paper with phone numbers and addresses on, with a paper shredder
As an American, I will not recognize gdpr or European law as my servers are not located outside the EU. But I do find some of the ideas nice.
This was very helpful. I am curious as to what steps/policies are in place for the USA & Canada? Someone informed me that GDPR is at the pinnacle of data protection and if your website is GDPR compliant it means your probably covered in the USA and Canada. Is this true?
As GDPR is quite strict, but also logical when it comes to opt-in, then it is highly likely a GDPR compliant website is US/CA compliant.
Also, without this explicit consent, we can't send him any email? Not even if he forgot the password and wants to restore it?
No, you can send email related to the original interest. So if I registered on your website, you can send me email about registrations and my account. That's completely okay! :)
thank you very much :)
Is it ok to have your cookie policy, privacy policy and GDPR statement in discrete tabs at the bottom of your page for the visitor to click on if they choose and not in a pop up? I've seen so many web design sites do this, I assume because it's not intrusive for the visitor....is this ok?
Starts at 2:22
Can these checkboxes be required? So that if you don't allow us to email you, you can't complete the registration? Also how about backups? If someone wants to be forgotten, it's very hard to erase his data from the aggregated backups
Hey Francesco, good question.
If a legitimate interest exists - such as a registration - then sending an email without a consent 'tick box' is okay. In that case the data is being gathered out of necessity.
Where it becomes an issue is if you then email that person anything that isn't related to the original registration action.
So if you plan to 'market' to them after registration, then you must ask them if they're okay with that. You can do that on your form with a 'tick box' or in a following email that asks them to confirm the additional opt-in.
Does that make sense?
Backups are a big issue for all of us. It will mean disposing of older backups that contain 'deleted' users. We'd recommend a decay type policy whereby you as the data holder are given a grace period of say 30-days, to remove the user from backups. That means that if someone asks to be forgotten entirely, you have a little leeway on cleansing backup data, which is typically harder to get hold of and manage.
So do we not need to be "GDPR" compliant if we are just gathering info from local customers (in texas)???
No you're fine, you could just exclude those people from all your cookies - but you'd still need to outline in your privacy policy what you're doing and what happens if someone from the EU sends you data (contacts you).
What about the log to prove consents?
Now that is a good question and honestly, I'm not sure because that in itself seems like it could fall under GDPR... which is insane!
How do you prove it if the person opted out and therefore left no footprint, other than an anonymous visit to your site (or similar)?
The cookie you store is not an 'online identifier'. if you are simply storing the preference of the user's consent (yes/no). There's no problem with setting cookies.
fun fact: deleting user data also counts as "processing" data by the definition. So, without any legal basis, deleting data is thereby illegal
Would stating this in a privacy policy help?
Also if the data is just something like an anonymised ip, would deleting it still be illegal?
All I want to know is do I click yes or no! I’m very very new to this and I’m signing up with jvzoo and don’t know whether to say yes or no. Is your use of the JVZoo service regulated by GDPR?
A last question, since it seems you know a lot :) What if I issued invoices to him? I must delete the invoices? I think that's against the law... :)
Now that's an interesting question. I actually don't know the legalities around that but you're right, you can't just delete invoices! Safe filing system is a must but that leaves the question of what if you stop working with that person, can they then request you destroy their data (old invoices)? That wouldn't make sense because of legal accounting requirements.
Invoices are part of the justified purposes which are outside the scope of GDPR: _“if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …”_
However, GDPR applies right after the legal obligation ends. For example, if local laws require you to keep invoices for 12 years, you must delete them immediately after the 12 year period.
Thanks Aidan, that makes sense.
Very useful. Thanks
our pleasure Toby!
If we cover these 7 steps correctly then are we all good & legal? Theres so many snake oil salesmen out there asking for £250 to be GDRP compliant and filling out 100 page forms etc!!?
If you're unsure ASK the user to opt-in and be very CLEAR in your privacy policy:
- how you collect data
- why you need it / what you do with it
- how you store it
- how they remove themselves (contacting you is okay)
- and how they can contact you (email address and/or person)
AdEvolver, thank you very much, you're a lifesaver! Much appreciated :)
Nice clear explanation
The EU should just stop using the internet for ultimate privacy. The people will need to search your bins to get your personal data, how safe would that be?
This is great content. Thanks!
Thank you so much
Thanks, that helps a lot!
Thank you for the help!
thank you so much :)
You're not hard on the eyes, BTW!
We work hard on the lighting! :-D
change intro from 17 seconds to 1.5 second. This way less irritation is caused.
Couldn't I just host my website on a remote server in a normal country, like the US, or Korea, so I don't have to comply with these crazy EU dictatorship rules?