GDPR

[philiporchard]

Hi,

Can anyone point me to someone very knowledgeable in the area of GDPR.

Thanks, Phil

 

[BeachLife]

https://www.pistonheads.com/gassing/profile.asp?h=0&memberId=497276

Knows his stuff by all accounts.

 

[scottmccloud]

Kim Bradford is highly recommended by a couple of associates of mine. She runs https://spheredataprotection.com/.

 

[redbird]

https://suzannedibble.com/ and her facebook Group Lots of info/videos

 

[philiporchard]

Wonderful. Thanks for all the helpful links and recommendations.

 

[davedevelopment]

I know someone, but they haven't consented to me sharing their information

 

[Aaron Clifford]

I've spent a fair bit of time working on GDPR over the last few weeks so if you've got any questions drop me a message.

 

[markb]

I've spent a fair bit of time working on GDPR over the last few weeks so if you've got any questions drop me a message.

I've got a quick question. Is it mandatory to have a popup message on your website where you need to click to consent to using cookies and accept your privacy policy, or is it enough just to have a message in your footer saying that if you continue to use the site you consent to cookies and have read the privacy policy ? The issue I have is that if you have to use a popup then it will prevent our website caching working. It seems a bit overkill to have to use a popup message which uses a cookie, to accept the use of cookies. It should be a given that if you are using any website on the internet, that they will probably use cookies.

 

[Aaron Clifford]

Of my understanding that falls under the PECR not GDPR, the ICO state you should "get consent the first time you set a cookie", meaning you should get a positive action to confirm such as a tick box or button, however they also state that you can get implied consent which doesn't require an "opt-in" this is the big grey area.

You also have the EU Cookie Law that should enforce the right for a user to be able to request information on what you store and why, and if you can't provide an answer that is satisfactory (again vague) then the user has the right to report you, presumably to the ICO which at that point would fall under GDPR.

I've not really answered your question, but hopefully it gives you some more information.

 

[markb]

Of my understanding that falls under the PECR not GDPR, the ICO state you should "get consent the first time you set a cookie", meaning you should get a positive action to confirm such as a tick box or button, however they also state that you can get implied consent which doesn't require an "opt-in" this is the big grey area.

You also have the EU Cookie Law that should enforce the right for a user to be able to request information on what you store and why, and if you can't provide an answer that is satisfactory (again vague) then the user has the right to report you, presumably to the ICO which at that point would fall under GDPR.

I've not really answered your question, but hopefully it gives you some more information.

Thanks for the info, I have yet to find a definitive answer to this. I'm presuming most sites use google analytics and adsense which set cookies, so does this mean you need a popup box to get consent or not? and does this only matter if the cookie contains personal identifiable information? You would have thought that the ICO/GDPR would be very clear about what is needed for website owners, instead of making it very difficult for everyone to understand what they actually need to do.

 

[Aaron Clifford]

My educated(ish) guess would be that generally as long as you clearly state cookie use, what you store and why in the terms/privacy you should be ok. If you ever have a time where a consumer or site user questions this you just need to have a strong backing to the reason's for cookie storage, if they decide that the reasons aren't strong enough and take it to the ICO then you could face issues.

Just to edit...

Data stored on the user either personal or meta (ip, user agent, device) is classed as personal data if it can be linked to the user, say via a user id in the cookie, or a session id that links the user in your system.

 

[wonder_lander]

Saw this shared on Twitter:

Can you recommend a GDPR expert?
-yes
Can I have their email address?
-no

 

[Aaron Clifford]

Just to caveat, I'm no expert just spent a lot of time on it recently.

 

[Skinner]

I can see SARs for the average website owner being a joke.

For the most part, finding exactly what Wordpress stores on any given user isn't easy.just as a basic example.

One of the more interesting debates I have seen is, If you track a user by storing meta data like IP, Date. , what they looked at but never any information which linked to them personally say for usage tracking, would it be covered .

The debate was raging half saying no because you can't identify the person, and half saying yes because you can identify that person coming and going but doesn't matter if you can't physically link it to them. Its a going to a long road of these debates.

 

[Aaron Clifford]

If you can't identify a person from the data then it doesn't come under GDPR as the data is anonymised, in the same way if a user asks you to remove their data, you only actually have to remove the identifier to them, you can keep the data as long as it can't be re referenced to a particular person, as far as i'm concerned that part at least isn't a debate.