anyone who uses forms on their websites must ensure that it meets the new requirements.
Weebly the web host provider is ready but others are not.
Google analytics will be suspended unless you update and agree to new terms also.
its not difficult to comply but many people wont even bother changing and that could lead to heavy fines or worse to many companies.
I am finding it difficult to comply - I have been working on it for 6 months - hopefully we will be ready before 25th May.
I am a little surprised that the focus does not seem to be on physical security of data but instead more on the contractual arrangements between the company, employees, clients and suppliers.
there are companies doing it for you now. weebly and google are doing it for all their data and my forms are through weebly.
Once we have dealt with a contact form we just delete it forever.
it all falls down to who and how the data is stored. for me its send via email through a mail server on weebly.
We made it clear to clients all data entered will be removed once we have answered an email. most people just call us though and we have only received 1 form in 3 moths. im told weebly is in full compliance.
It boils down to a few simple things:
Do you digitaly store data, if you do does that comply with the new rules.
Does your data get transmitted through a third party such as weebly: yes then does said company comply.
For us i get a notification in my mail box to tell me there is a new form entry. I then visit weebly to see the form and after ive added th form to my offline hotel booking software (GDRP compliant also) i remove the forms even though weebly is GDRP compliant its just something ive always done for the past 3 years.
if you use any third party software to create the forms is that also compliant. its mainly about the software compliance and about how you store data.
Harry
I think we are talking about a different scale of project and the sheer scale of data, organisations and policies involved.
I have been passing a thought as to how, say, a gite owner could not only be compliant but also have the documentation in place to demonstrate compliance on the main 12 required areas if needed in the event of an investigation following a breach.
from a website point of view there are quite a few companies offering this service and its not that expensive.
I have around (ive just looked it up. 350 people on my books. Last year I have over 200 individual clients book in with us. My data is offline though.
Every single client is signing a consent to me keeping their data on my booking software.
It does vary business to business on many different areas. We have opted to limit the data we store and how.
It will be interesting to see if / how many other people are addressing this.
You do need to be careful however as GDPR does not just cover your website it covers your whole organisation.
yup. my booking software is compliant already. Plus the clients names are dogs names, the owners just pay the bill.
not sure dogs names are covered by data protection.
I am ensuring that people sign up for me keeping their data on my booking software and that is pretty much all I need to do. the software is also offline so no outside access via booking sites, we also do not use credit cards.
This is all pretty opaque…and full of technical language. It would be good if there was a plain English summary of these 12 main points, that we would need demonstrate compliance? ( not that I can imagine anyone would be interested in our scale of operation).
there is places you can go to get help and the points while allot of technical stuff is clear to point out its your responsibility to ensure you are compliant with protecting data and also that you have consent to keep said data.
ibm offers a great self assesment tool.
Still opaque…phrases such as “implement appropriate technical and organisational measures” are fairly meaningless. Nothing about what actually defines an organisation that must comply. And since it makes clear that consent can be implied by a person’s relationship with the organisation then that could cover most things. As far as I can see I just need to put a line in the “mentions légales” on the website to say they can contact us to have their details erased if they wish to.
its simple. ANY person or company even sole trader that keeps records of clients details names, phone numbers emails or anything MUST comply with it.
there is allot more to it. if you have a gite and you have someone booked in you have their details on record, we keep customer records for the dogs too.
So if you keep records you must comply.
We have opted to not have a booking form. Most people contact me by phone or Facebook anyhow.
its all down to what info you hold. I hold a name an email and an emergency contact number. we share data with no one.
the IBM review showed me I needed to make no changes apart from to gain consent to hold information and put responsibility on the client of they opted to no longer want me to hold info.
it all comes down to how you gather store and share info.
Thanks for the links, but it is still a dreadful example of poor communication as it remains very unclear exactly what steps you are supposed to take and is full of technobabble.
For example…
" familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation."
Since we are a penny ante set-up my guesstimate as I said is that if we pop a phrase about deleting info onto our mention légale, and perhaps a footnote in the contract, we would be covered. Life’s too short to worry about it any more.
its not that simple alas.
It is not that expensive to get someone to do it for you.
As I said, life’s too short to bother…
until your fined for it which would also cause other investigations into finances. not pretty and if i knew someone didn’t give a crap about my personal data and security id be concerned to give any details to you.
Being investigated in France is not a pretty picture. Know an old AE who got investigated and they found him to be very bad a paperwork and ended up accusing him of fraud and billing him for back taxes he even to this day claims hes innocent but they dont care, they took his assets too. All because life was too short to bother with doing the relevant paperwork.
You misunderstand me. It’s not that I don’t care about people’s data, but that we have so little of it. Under all the terrorism laws we have to keep a record of people who book to stay which is on a piece of paper that never goes anywhere. It sits on a shelf with the annual accounts just in case the tax man comes to call. We don’t have any high tech online reservation system that collects personal data. We are meticulous with the accounts and financial declarations, as that is a risk not worth taking. But the GDRP, well…
seems a pain i know but data protection in this day and age with people stealing others identities all the time we all have to be careful.
We opted to shut our online booking page down and just ask folks to call us, looked at it and out of the 94 bookings we have had in residence so far this year so far only 2 came from the website form. going over the next 100 or so bookings none cam from the online booking forms. we only had 12 forms last year.
I have still gone through the process of looking at the DGRP as its not just relevant to online data. I prefer no matter how tedious to ensure we stay within the law in every aspect.