Maybe, but unless someone can produce legislation that demonstrates IPs are personal information it’s a moot point what Paddle are doing. I would imagine they are doing this because they are not just processing IP’s but other data that make IPs personal information in their context.
GDPR is about what I’m processing. Not about what others process. If companies take non personal information from three different websites and put it together to make personal information then they are processing personal information, not the three websites they obtained the data from. ICO will not hold me accountable for the data someone else is processing.
The problem is we’re not talking about legislation when it comes to IPs being personal information as none such exists. We’re talking about conjecture.
I totally agree, and think the best starting point is to look at what data you collect and ask yourself if you can identify an individual with this information. If yes, follow GDPR, if no, you need do nothing.
I don’t think it is. In fact I think the UK ICO have been exceptionally helpful with their website and their advice on the phone. GDPR is really not that complex. It’s looking to enforce people’s rights to their data. We found the key to be understanding that it’s only to do with information that identifies an individual and then you respect the rights they have under GDPR. The six legal basis for processing also make it easy to work out where things fit.
I found it quite funny today…
I have a building company, and today was asked by one of my regular customers (a law firm) to fit locks to all the cupboards in their offices so they can comply with GDPR.
So working away I took the opportunity to ask the lawyer sitting at his desk,
“is an IP address considered personal data under GDPR”
That depends on the context, he replied and seemed reluctant to comment further.
Working in another office, again I asked another lawyer,
“is an IP address considered personal data under GDPR”
No, he replied, not unless you match the IP to someone by another process.
“Are server logs OK then?” I asked…
Ah, You’d need to speak to a lawyer I think, he replied, hinting he’d had enough of this conversation.
Working in another office, again I asked another lawyer,
“is an IP address considered personal data under GDPR”
Yes, it clearly states that they are, she replied.
I didn’t push this final conversation.
I just thought to myself, man oh man nobody knows, not even the lawyers.
Off topic, sorry: What really concerns me here is that many small businesses are being hit really hard by GDPR. I have had dozens of devs emailing me this week who I know are one/two people working with passion and their mailing lists are basically being destroyed by GDPR… and it’s their most valuable asset.
Again the EU introduce legislation that back fires. (elf 'n safety). We need to stop self harming now. GDPR is meant to be a good thing and so far all I sense is that lots of tiny online businesses will go under whilst Facebook will carry on farming our data out to Cambridge Analytica et al. Hurrah!
If their mailings are valuable to the customers they will re subscribe. No one should have held personal data that was not relevant or necessary under existing laws but many businesses flouted those laws, not just larger companies but the ones who ring and write to my address thinking my grandad is still alive and wants some new windows or a holiday. If you already implement good privacy practices then it is just a case of updating the privacy policy and some admendments to the website back end. I’m a ‘one man band’ here and will be spending less than 20 hours on the GDPR stuff across a couple of websites.
As for health and safety. You visit an ancient monument abroad without handrails, signs and safety features and you will see how we in UK actually overburden ourselves in implementing most EU law!
If they are existing email lists, not everyone is doing the ‘resubscribe’ thing.
Based on the research I have done, work email are treated differently to personal emails and will not be affected in the same way.
Secondly, if someone has been receiving emails from you and has had the option to unsubscribe, but hasn’t there shouldn’t be a problem (from a marketing firm whose main business is sending out emails)…
The issue is that the laws are being treated as though everyone has the same situation and that really isn’t the case
Thanks Barrie I didn’t know that…very useful information for my wife who has a small business with 1000 subscribed customers who have chosen to subscribe. The default action which is to unsubscribe the customer if they don’t actively re-subscribe would be the end of her business as many of her customers are elders and would probably not know what to do.
Anyhow the thought of sending out an email saying unless you do this now it’s ‘bye bye’ is really upsetting for her as it’s taken her decades to get that 1000 peole.
