On 03/24/2018 03:39 AM, toki wrote:
If the list is "owned" by the charity, or is an official organ of the
charity, then full compliance is required. If the list is owned by an
individual, then some aspects might be dropped. This is what the court
cases will be about.
Following up on this, despite the GDPR being an EU directive, specifics
are up to the individual member states. Those differences can be
startling:
* Estonia, for example, requires compliance within five working days,
with a single fifteen day extension permitted, if, and only if, the
original request lacked clarity;
* Ireland, OTOH, gives thirty days to comply, with no extensions;
Additional things that gave me pause were:
* All requested data must be provided to the requester, in a commonly
used format. So far so good. However, for list owners, that means that
if a request is made of all emails sent by the individual, or quote the
individual, the list-owner has to be provide them to the requester. The
only path to compliance with that, that I can see, is to set up an email
account that receives all messages sent to the list, and automatically
archives them in an email forensic analysis program;
* Consent to subscribe must be explicit, and must be retained by the
list owner. This implies that list-owners and moderators should not
auto-subscribe individuals, but will, on request, have to unsubscribe
individuals;
* Membership lists contain personal data, and as such, probably should
not be publicly available;
#####
Something to consider, is appointing one moderator, whose sole function
is to ensure conformance with GDPR (Europe), CASL (Canada. I have no
idea what this law is about, but I've heard it often enough in
discussions about GDPR, to assume that it has some relevance), and other
privacy legislation in other countries, or regions of the world. IOW, a
mailing list _Data Protection Officer_.
jonathon
