Jon Moon

Clarity and Impact

GDPR

My thoughts, May 2018 ('General Data Protection Regulation')

This page looks at the new EU rule that's now in force. Section 1 is the 'serious' bit, the rest is more irreverent:

1. Summary: how I comply; what you need to know

2. My thoughts on this latest box-ticking nonsense

3. My 'Fair Processing Notice', for what it's worth

4. Two GDPR-related jokes - enjoy

 

1.  Summary: how I comply; what you need to know

(And this covers both Jon Moon, the human being that wrote, published and sells the book Clarity and Impact, and Clarity and Impact Limited, the company that gives training courses.)

The headline: your data has been - and will be - safe with me. And I never share it with - or sell it to - anyone.

Some more detail: I get hold of your details three ways:

(1) When you enter your details to access the free 'Downloads' page of this website. You can give fake ones. Some do, e.g. a.a@co.uk. I haven't set up a password system to prevent this ("I'll email you a password so you can access downloads"). We've all enough passwords in our lives already.

(2) When you buy a book via this website. You enter: name; postal address. I don't have or keep your credit card details. You pay via Stripe, a system that's like PayPal.

(3) When you attend a talk or Course. If delegates are comfortable doing so, I ask them to scribble their email on a piece of paper. If they aren't, they don't. 

I then type your scribbles into my system (it's password-protected and web-based). I input: name; date attended; company, if an in-house event. 

I use these details to do mailshots via MailerLite (a popular web-based mailshot system). I send two types of email:

(1) Follow-up emails after Courses/talks, e.g. "Good to meet you, you're in my system, here's the key downloads, etc";

(2) Monthly brief email updates to everyone in my system, e.g. "Here's a tip, here's a bad graph to laugh at, etc". Plus I market my book and Courses.

All my emails tell people they can unsubscribe if they wish.

I never dump your data into Excel or onto a memory stick or laptop. As for the 'scribbled' pieces of paper, they're shredded - every three years, I send lots of stuff to a shredding firm.  

 

That's it. But it isn't. GDPR seems to demand more. Hence the rest of this page. Good luck.

 

2.  My thoughts on this latest box-ticking nonsense

To ensure my company complies with GDPR, I spoke to my Chief Technology Officer.

Which is me. He sorts out stuff like this - he’d recently drafted an anti-slavery policy (he’s also Chief Anti-Slavery Officer), plus proved to our bank we’re not drug barons (he wears the Chief-Money-Laundering-Officer hat too).

The CTO said I must appoint a Chief Data Protection Officer.

Which will be me, I guess. (One day, I'll do an org chart to help clarify all this.)

The CTO then pointed out two facts:

1. Every day, I receive dozens of marketing and ‘update’ emails, yet in the period leading up to GDPR Launch Day, I'd received 'GDPR' emails from less than half of them.

2. The 'GDPR' emails were a mixed bag. Some said: "Opt in". Some said: "If you want, opt out". Some just told me stuff.

So, to comply with GDPR, what should I do? 

The answer came when I got a GDPR note from a bank I use. It said they’d updated their Fair Processing Notice (FPN).

Lo, this is the answer. In the opinion of legal bods in that bank, an FPN  cracks it. So, I surmised, it cracks it for me.

Below I answer the 21 questions that the bank answered in its FPN. It's my Fair Processing Notice.

 

3.  My 'Fair Processing Notice', for what it's worth

First, the intro that the bank had:

"GDPR is an EU regulation that is intended to give people greater protection over their personal data. It aims to achieve this by ensuring that organisations make people aware of how and why they process their personal data and of their rights in relation to their personal data. It also gives regulators greater powers to ensure that organisations process people's personal data appropriately."

(Editorial note: notice the choice of words in that paragraph – the new GDPR is ‘intended’ to give greater protection, not ‘gives greater protection’. And it ‘aims to achieve this’, not ‘achieves this’. Is Hampshire Bank trying to tell us something?)

On with the 21 questions- and first five are answered in section (1) above (who we are; the data I collect and hold; how I get it; where I store it; what I do with it).

As for the other 16 questions, here goes....

Our data protection officer: it’s me, Jon Moon. To contact me, email jon@jmoon.co.uk. If you prefer – and if you live in Ealing, London - let's have a cuppa at a local Starbucks.

The legal basis up on which I collect, process and store your personal data: I don’t understand this question, so can’t answer it.

How fraud prevention agencies process your data: I don’t know. Ask them.

Who I share your personal data with: my wife... sometimes your details are manually typed into my system not by me but by her. 

Important information for children: floss regularly.

Your right to data portability: if this means anything to you, and you want to draw it to my attention, let me know.

How long I will store your personal data: until you tell me to delete it. Or until I retire.

Your right to have processing of your data restricted: if there's a restriction you want me to apply, let me know.

Your rights to your personal data: to see what I hold on you, ping me an email and I’ll tell you. If you want it changed or deleted, let me know.

Your right of access to your personal data; and rectification; and erasure; and objection to processing: see above.

Your right not to be subject to automated decision making and profiling: such stuff is far too whizzy for me to do.

Your right to complain to the Information Commissioner: a weird clause... I’m not sure I can stop you complaining. This one is akin to saying: I give you the right to breathe.

Where you can find my Fair Processing Notice: if you're reading this, you can guess the answer... it's here (well, duh).

 

4.  Two GDPR-related jokes - enjoy

1. Two people are chatting. "Can you recommend a GDPR consultant?" "Sure can", comes the reply. "Brill... can I have their email?" "No, it's not allowed."

2. A bloke sits on a train in London, tearing paper into strips and throwing them out the window. "Why are you doing that?", a kid asks. "To keep elephants away", he replies. "But there are no elephants in London...?!?", the kid says. "Exactly - it works."

This joke applies also to the Y2k fun-and-games 19 years ago.