Quote Originally Posted by SWv2 View Post
It really boils down to consent from the individual, consent to 1) hold their personal data and 2) consent to us the personal data for purposes which are made clear to the subject and to which he/she further consents.

To clarify point 2 a person may consent their details to be used for relatively innocent marketing missives but then not for further processes such as profiling which in turn may be used for decision making.

The thorny issue is legacy data, whereas controls for the above can or must be put in place from 05/18 how does one address the data already in place on databases. We have over half a million such people on a master database and cannot really be expected to contact all in order to clarify such issues.

This is the obvious one - customer data on marketing or CRM databases, you then need to widen the scope and look at HR records and whether or not there is reason to collate all the data you do, even something such as the use of CCTV is of course governed by basic DP rules.

Sorry.

This is helpful, thanks. We have about 50,000 people on our db. This might be an excuse to delete about 40,000 of them.

Then the books auditor will turn up and say "Where is your old customer data?"

"Oh."

The more interesting part of the job is to find new ways to use data for useful, entrepreneurial things like profiling for marketing and customer retention and care. If we have to document explicit algorithms and get consent at every step like fumbling students trying to have sex in a highly-controlled university campus it'll be no fun at all.

I wonder what the likes of yer googles, facebooks and amazons are going to do. This sort of algorithmic profiling is part of their bread and butter, I thought.

Ten million Euro fine for non-compliance? Or 4% of turnover - whichever is larger? How many businesses and jobs are going to get vapourised if they enforce that?