Is this a big change?
You would be forgiven for thinking it is. To be honest, I think for the most part the basic principles have not changes a lot, and if you were "doing it right" before, you are probably "doing it right" now. There are changes, yes, but it seems to me that the biggest change is around "accountability". Under GDPR you are expected to have a lot more processes in place, and be able to show that. Before, if you did things right you may have more easily got away without all of the paperwork to prove that was the case, but GDPR puts a lot of onus on the paperwork and accountability... GDPR also has big fines which is what is actually making people jump!
"Consent" has changed...
As a basis for processing personal data the use of "consent" has changed, in rather odd ways. For a start it has to be "freely given" so cannot be in exchange for some service, which is interesting. But also it has to be revokable. Some of the rules on proving you got consent (i.e. not default pre-ticked boxes) have changed a bit too. And of course the accountability to show you actually got consent is clearer now.
The upshot of this, and paraphrasing the advice from our lawyer, is that anyone relying on "consent" as the basis for processing, is crazy.
I know I am seen as speaking for A&A here on my blog in spite of my caveats on the matter, so to be clear, A&A do not use "consent" as the basis for processing. It is far too difficult, and fragile a basis for doing anything really. Why would we - you can withdraw it at any time...
Not that many to be honest, you had loads of rights before, but maybe a few more now. One thing is that subject access requests are to be free. This is likely to be a pain for many companies.
Once again, with an A&A hat on, pretty much everything we have on you is available on the web pages now (accounts or control pages), and indeed, I expect some level of "full SAR" to be in there soon anyway, depending on if anyone starts asking for lots of data. I'd rather people do not go mad on 25th asking for data, to be honest, as basically we are not the bad guys here hoarding loads of personal data on people, and never have been. A lot of replies will be referencing the data you can access anyway. That is not to say we won't welcome suggestions and feedback on this all.
Privacy at the core of the business
This is where A&A are a bit different, and I had a long chat with out company lawyer on this the other day. Obviously we have been working on this for months, but he was impressed how we do take privacy seriously at every level as a matter of course really. It has made his job a bit easier as basically we are not changing what we do, but doing the paperwork to document what we do and so on. Not only is the company simply not in the "business" of selling / processing personal data in the first place, but we have myself and key staff on the case every day challenging everything we do, or consider doing, from a privacy standpoint.
Some changes at A&A
To be honest, the whole process has meant we are looking more closely at some aspects of what we do, and so some things like the way we identify customers that call/irc/email/etc may be tightened up a bit. We need the right compromises of helpful and secure. We did a lot of this last year with controls over levels of security on accounts and two factor authentication so as to give our customers a choice of the level of security (or paranoia) they felt was needed for their data. That was all done before we even really considered GDPR, just how we work and how we can be better at privacy!
But obviously we welcome feedback, if you feel we are too strict or not strict enough on verifying you as a customer, please do tell us. The whole process here is a lot about learning the right balance to ensure people have the right level or privacy and convenience.
OK, the real reason to read this - those annoying emails to re-conform consent!
We have all had them, heck they are filling the inbox for us all - asking to reconfirm "consent" before 25th May.
I don't know what to say to be honest. I do not think a single one of these emails is from someone that I actually gave consent to in the first place!!!
We've had them sent to mailerdaemon@somedomain at the office, clearly not an email address anyone used or consented to marketing (or any other) emails to.
The only light at the end of the tunnel is that, if we are lucky, all of these muppets delete us from their mailing lists for fear of fines related to GDPR.
But, really, none of them should have us on the mailing list anyway under existing privacy and data protection laws, FFS! If only the ICO had enforced the laws we had, this would have not been an issue, IMHO.
If you have a lawful basis to have someone's details and send them email, GDPR does not really take that away, and so you do not need these stupid emails asking to re-consent.
Anyone considering sending such emails over the next week or so - talk to someone that understands GDPR properly, i.e. @neil_neilzone