Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Register for data protection #326

Closed
johnmckerrell opened this issue Jul 25, 2016 · 15 comments

Comments

@johnmckerrell
Copy link
Member

commented Jul 25, 2016

I don't think we've registered for data protection and we probably should. The main thing is the CCTV, that's an instant "yes" but I think even without that we would need to because we're keeping people's data indefinitely (beyond them being a member, though we don't have membership so I'm not completely sure how that would work).

@DoESsean

This comment has been minimized.

Copy link
Contributor

commented Sep 22, 2016

All done. John is listed as the officer in charge (mainly because he has access to the cameras), and the relevant paperwork will be sent out.

@DoESsean DoESsean closed this Sep 22, 2016

@DoESsean DoESsean reopened this Sep 22, 2016

@DoESsean

This comment has been minimized.

Copy link
Contributor

commented Sep 22, 2016

Issue reopened as, as @amcewen so astutely points out, 'Has the paperwork arrived already?'

One day I will close one of these correctly.

@johnmckerrell

This comment has been minimized.

Copy link
Member Author

commented Sep 23, 2016

I've just received a "Security number" by email.

On 22 Sep 2016, at 12:04, Seán Gleeson notifications@github.com wrote:

Issue reopened as, as @amcewen https://github.com/amcewen so astutely points out, 'Has the paperwork arrived already?'

One day I will close one of these correctly.


You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #326 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AABqa9xsmVzEyuUJcthAKX0UIx9DaNB7ks5qsmC4gaJpZM4JT8jb.

@DefProc

This comment has been minimized.

Copy link

commented Oct 26, 2016

@johnmckerrell does that mean it's complete?

@amcewen

This comment has been minimized.

Copy link
Member

commented Jun 29, 2017

Organisers' meeting notes: paging @johnmckerrell

@johnmckerrell

This comment has been minimized.

Copy link
Member Author

commented Jun 29, 2017

Yes we are, there's no paperwork but I have 3 emails including one that confirms we're on the register, I found our listing here:

https://ico.org.uk/ESDWebPages/Entry/ZA207178

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2017

Am I right in thinking it's a requirement to have a set of policies for this?

@euanwithersby

This comment has been minimized.

Copy link

commented Jun 30, 2017

Yes! The GDPR supersedes the DPA as of 25 May 2018. It's a regulation rather than a directive and is very different from the DPA. The ICO website has done good guidance on what you need to do as an organisation.

@euanwithersby

This comment has been minimized.

Copy link

commented Jun 30, 2017

DoES will also need a retention policy for data, an organisation can't keep personal information ad infinitum as this breaches the 'not held longer than necessary' principle. Perhaps categories of involvement ought to be introduced? Do have a look at the exemptions, though. It may be that some of the data doesn't require notification (although DoES should still aim to abide by the principles).

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2017

So... I'm assuming there is no official DoES policy (please somebody correct me if I'm wrong).

If that's true does it mean DoES is currently in compliance but will not be in compliance from May 2018 @euanwithersby or would DoeS not be in compliance now?

@euanwithersby

This comment has been minimized.

Copy link

commented Jun 30, 2017

Check out the small business compliance checklist, it lists a policy for dealing with data protection issues: https://ico.org.uk/media/for-organisations/documents/1558/getting_it_right_-_how_to_comply_checklist.pdf . I'd just spend a bit of time on this and start looking now how this changes for GDPR. For the latter, for instance, you are required to ascertain and monitor that any 3rd party processors are also compliant - this could even be the booking forms website used for the workshop (I.e. Customer data for DoES being processed by the third party company)

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jun 30, 2017

@DoESsean can you comment on the current status wrt this?

@euanwithersby

This comment has been minimized.

Copy link

commented Jul 1, 2017

I've had a look at the notification. I know you're just using the 'General Business' profile that ICO provide for notification, but I'm assuming that DoES isn't actually processing sensitive data?

@johnmckerrell

This comment has been minimized.

Copy link
Member Author

commented Jul 1, 2017

@ajlennon

This comment has been minimized.

Copy link
Contributor

commented Jul 3, 2017

Interesting mail just came in on GDPR and what Wetherspoons is up to:

"Join major companies on the path to compliance
Pub chain J.D Wetherspoons announced this week that they are deleting their entire customer email database, and ceasing all their email newsletters.

This action follows a recent data breach suffered by the company, in which it is reported over 650,000 email addresses were affected.

Major companies are sitting up and taking action, with the May 2018 deadline for the enforcement of the General Data Protection Regulation looming, and the Information Commissioner’s Office (ICO) gearing up to hand down significant fines for those found in breach.

GDPR will overhaul the way data will need to be collected and processed, handing the power back to the user. The new directives will have a substantial impact on any organisation with operations in the UK and EU – making it pivotal that companies take action.

Wetherspoons’ decision is certainly a drastic one, as businesses are not required to delete their customer email databases under the regulation, but it demonstrates the true scale of the impending GDPR and serves as a signpost of things to come. Your customer email database may be a millstone around your neck at the moment, but deleting it entirely is not an option for most businesses."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.