Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Members
    Join Date
    Dec 2003
    Location
    Worcester England
    Posts
    7,734

    GDPR data retention


    0 Not allowed!
    I know a couple of people on here did their GDPR roll outs for their work/websites not least @Bozza

    I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...

    Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution

    I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"

    Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed

    I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
    Thoughts?
    Last edited by maffew; 23-09-2018 at 08:39.

    • North Stand Chat

      advertising
      Join Date: Jul 2003
      Posts: Lots

        


    • #2

      0 Not allowed!
      Would probably come under "legitimate interests" under current regs. They should spell out the retention reasons in their privacy policy.
    • #3
      aka Cap'n Carl Firecrotch Westdene Seagull's Avatar
      Join Date
      Oct 2003
      Location
      The arse end of Hangleton
      Posts
      15,903


      3 Not allowed!
      Time for a Subject Access Request and once you have the information ask them to delete it.
      The devil whispered in my ear : "You're not strong enough to withstand the storm."
      I whispered in the devils ear : " I am the storm."
    • #4
      Members
      Join Date
      Dec 2003
      Location
      Worcester England
      Posts
      7,734


      0 Not allowed!
      Quote Originally Posted by jasetheace View Post
      This quote is hidden because you are ignoring this member. Show Quote
      Would probably come under "legitimate interests" under current regs. They should spell out the retention reasons in their privacy policy.
      Yeah the legitimate interests nonsense to me is a wildcard they can play. Here they will say "well it is of legitimate interest" we identified you as an historic customer (probably) and therefore 12 years prevented duplicating your customer details. I though it was meant to be "reasonable" and "proportionate" though. Which to me is things like NHS/Dentist records, or the DNA database. Not a multimedia account loosely coupled with me.
    • #5
      Members
      Join Date
      Dec 2003
      Location
      Worcester England
      Posts
      7,734


      0 Not allowed!
      Quote Originally Posted by Westdene Seagull View Post
      This quote is hidden because you are ignoring this member. Show Quote
      Time for a Subject Access Request and once you have the information ask them to delete it.
      Now I can do that (I think they can charge for it?). In this instance, if I am truly honest, its more of a matter of principal really now, and I am annoyed that they didnt see my concern as a valid reason to log it with their compliance people to contact me back
    • #6
      A. Virgo, Football Genius
      Join Date
      Jul 2003
      Posts
      25,050


      1 Not allowed!
      the old records allowed them to identify you as a returning customer and not a new one. sounds like argument for reasonable time to hold the data. the legislation is flexible with no length of time, it says data held needs to be for explicit purpose and limited to what is needed for the purpose. if you have a database called "historic customers" the length of time it can be retained is pretty much indefinite. agree this may be against expectation and the spirit of the GDPR but there you are.
      Daily Mail readers are living in a perpetual hell, expecting their homes to be overrun at any minute by hoodie wearing, skunk smoking, muslim, transgender, asylum seekers.
    • #7
      Members Horses Arse's Avatar
      Join Date
      Jun 2004
      Location
      here and there
      Posts
      1,922


      1 Not allowed!
      Quote Originally Posted by maffew View Post
      This quote is hidden because you are ignoring this member. Show Quote
      I know a couple of people on here did their GDPR roll outs for their work/websites not least @Bozza

      I have a reasonably understanding of data compliance and GDPR/DPA its always been associated with my line of work but want to put this out - your thoughts...

      Upon trying to open an account, online, with a large multimedia company this week (purely to take advantage of an offer for new customers) I was very surprised when it told me that I already had an account. Enquiring how this could be, as I have been out the country since 2010, and I have a totally different phone number, email address, and physical address. They said they could verify the account was from 2006 and could I confirm my mothers maiden name and my address at this time. Well I said no, the postcode would be BN something but I have no idea on anymore than that. But firstly why have you still got my information from 12 years ago. And secondly why are you validating customers based on their name and DOB with 12 year old data. Its not exactly a proper unique identifier. Indeed I worked with a guy with the same first name, and exactly the same DOB (we were in fact born in the same hospital and lived a street apart, but I digress). Its not like it is the police, or NHS, or even a financial institution

      I asked them to get a manager to email me, which they stated "a manager is not going to be emailing you back about this"

      Well that got me annoyed. Mostly because I wanted to have a free offer. But actually that to me is to a totally unacceptable amount of time to hold someones data. Yes I know companys have to keep reasonable data for business purposes. Perhaps for validating car finance, or applying for a loan - even then I think 12 years is too much. Not withstanding the verification of who I am or was or might be is flawed

      I might bring it to the ICO. To be honest I wouldnt even think that they could accurately exercise my right to be forgotten, as I wouldnt see how I could even validate that the DOB and Name of the account holder in a Brighton address 12 years ago was indeed me. (I am sure it was by the way, though I couldnt prove nor disprove it ). There is tons of legacy data around, I know, but to me this isnt acceptable. Nor is their response when I asked it to be escalated
      Thoughts?
      There's a fella called Tim something or other that is an expert on such things I believe. Hangs around Hove lawns mostly
      "NO MATTER WHAT (unless I don't like my seat)"
    • #8
      Members
      Join Date
      Dec 2003
      Location
      Worcester England
      Posts
      7,734


      0 Not allowed!
      Quote Originally Posted by beorhthelm View Post
      This quote is hidden because you are ignoring this member. Show Quote
      the old records allowed them to identify you as a returning customer and not a new one. sounds like argument for reasonable time to hold the data. the legislation is flexible with no length of time, it says data held needs to be for explicit purpose and limited to what is needed for the purpose. if you have a database called "historic customers" the length of time it can be retained is pretty much indefinite. agree this may be against expectation and the spirit of the GDPR but there you are.
      OK I get that. And clearly their data retention policy for historic customer has identified me a possible returning customer. But name and DOB as a primary key if you like? I would never get away with using those as an identifier with historic data (even with a mother maiden name appended to it), and I actually couldnt confirm the address I was living at, at that time. Nor would I expect to hold on to that kind of information for so long. I dont know what/if I intend to do anything because its not exactly for a mortgage or a crime I didnt commit. Just seems inappropriate
    • #9
      Members
      Join Date
      Dec 2003
      Location
      Worcester England
      Posts
      7,734


      0 Not allowed!
      Quote Originally Posted by Horses Arse View Post
      This quote is hidden because you are ignoring this member. Show Quote
      There's a fella called Tim something or other that is an expert on such things I believe. Hangs around Hove lawns mostly
      Ah rings a bell. Whats the weather like down there I wonder
    • #10
      Muslamic Infidel
      Join Date
      Oct 2003
      Posts
      5,359


      0 Not allowed!
      Quote Originally Posted by maffew View Post
      This quote is hidden because you are ignoring this member. Show Quote
      Now I can do that (I think they can charge for it?). In this instance, if I am truly honest, its more of a matter of principal really now, and I am annoyed that they didnt see my concern as a valid reason to log it with their compliance people to contact me back
      Subject access requests are free in most cases now under GDPR and they’ve got to respond inside 30 days.

      https://ico.org.uk/for-organisations...ght-of-access/

      As others have said they should have a privacy policy which outlines data retention. Where I work we’ve done a lot of work around GDPR and we’ve got to keep certain data for a number of years by law as we provide health care. This is all clearly outlined in our privacy policy.

      I’d certainly do a subject access request and if they don’t respond in a timely manner report it to the ICO, you can also exercise your right to be forgotten by them.
      Artist formerly known as joey_jo_jo_jr_shabadoo

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •