You could argue that $7/mo isn’t the most expensive thing in the world, but paying $7/mo for doing essentially nothing is quite expensive.
I spent a couple more hours getting the subdomain for the widget set up correctly with Route 53 and ACM, and wiring that up to the API Gateway custom domain configuration.
I’m not hating, we’ve all been there - I just hope all parties were happy with trading a couple hours of developer time for the same cost as hosting the thing for 10 years ;)
It’s a bit weird there’s no “grandfather clause” where data gathered before the introduction of GDPR is exempt from explicit consent. But I do remember a fear when it was implemented in Sweden was that scofflaws and trolls would tie up government agencies from day 1 with more or less frivolous attempts to “get ’em” violating the GDPR.
This is why there was such a long introductory period. You had a couple of years before the GDPR came into effect to contact everyone about whom you were storing PII and request consent.
I am not sure that this is actually a compliant implementation. You have to provide a mechanism for withdrawing consent, as well as for granting it, and individuals can require that you delete all PII associated with them. Holding their email address without the opt-in flag would put you in violation. If you have any mechanism for adding people that isn’t their direct submission of their email address, then you need to retain some hashes to prevent you from accidentally adding them back. I came across this case in the context of a college, which has a legitimate interest rationale for being able to keep the names of alumnae, but which needed to be able to ensure that ones that had opted out of having their contact information stored never had contact information added as the result of merging the alumnae list with some other public databases.
Thank you for raising this point and of course, you are correct. The current solution is by no means perfect. We’ve sort of solved the first half of the issue, getting the opt-in action logged somewhere and surfaced in the CRM.
The opt-out flow is currently fairly rocky — the person could either navigate to the consent form again and rescind their consent, or get in touch with the company and ask for their consent to be revoked, or indeed to have their PII deleted.
Still, I’m surprised that the CRM software does not handle this. It would be such a value-add to have this functionality built-in, compliant and correct.
Still, I’m surprised that the CRM software does not handle this. It would be such a value-add to have this functionality built-in, compliant and correct.
I’m a bit surprised at that too. I’m pretty sure it’s been a thing that the Dynamics 365 marketing stuff has been shouting about for a while. One of the advantages of SaaS-type CRM offerings (versus on-premises offerings) is that the seller, as well as the user, has responsibilities under the GDPR and so has a much bigger incentive to care about compliance.
By the way, did you check for Schrems II compliance? It looks as if your hosting provider is in the US, which may be a problem.
Aside from what david mentions, for a lot of things, you had to get consent before the GDPR.
A particularly visible example is newsletters. You had to use and present opt-in before the GDPR. What the GDPR did in that area is introduce enforcement that has teeth and hurts.
I’m not hating, we’ve all been there - I just hope all parties were happy with trading a couple hours of developer time for the same cost as hosting the thing for 10 years ;)
It’s a bit weird there’s no “grandfather clause” where data gathered before the introduction of GDPR is exempt from explicit consent. But I do remember a fear when it was implemented in Sweden was that scofflaws and trolls would tie up government agencies from day 1 with more or less frivolous attempts to “get ’em” violating the GDPR.
This is why there was such a long introductory period. You had a couple of years before the GDPR came into effect to contact everyone about whom you were storing PII and request consent.
I am not sure that this is actually a compliant implementation. You have to provide a mechanism for withdrawing consent, as well as for granting it, and individuals can require that you delete all PII associated with them. Holding their email address without the opt-in flag would put you in violation. If you have any mechanism for adding people that isn’t their direct submission of their email address, then you need to retain some hashes to prevent you from accidentally adding them back. I came across this case in the context of a college, which has a legitimate interest rationale for being able to keep the names of alumnae, but which needed to be able to ensure that ones that had opted out of having their contact information stored never had contact information added as the result of merging the alumnae list with some other public databases.
Thank you for raising this point and of course, you are correct. The current solution is by no means perfect. We’ve sort of solved the first half of the issue, getting the opt-in action logged somewhere and surfaced in the CRM. The opt-out flow is currently fairly rocky — the person could either navigate to the consent form again and rescind their consent, or get in touch with the company and ask for their consent to be revoked, or indeed to have their PII deleted.
Still, I’m surprised that the CRM software does not handle this. It would be such a value-add to have this functionality built-in, compliant and correct.
I’m a bit surprised at that too. I’m pretty sure it’s been a thing that the Dynamics 365 marketing stuff has been shouting about for a while. One of the advantages of SaaS-type CRM offerings (versus on-premises offerings) is that the seller, as well as the user, has responsibilities under the GDPR and so has a much bigger incentive to care about compliance.
By the way, did you check for Schrems II compliance? It looks as if your hosting provider is in the US, which may be a problem.
Aside from what david mentions, for a lot of things, you had to get consent before the GDPR.
A particularly visible example is newsletters. You had to use and present opt-in before the GDPR. What the GDPR did in that area is introduce enforcement that has teeth and hurts.
I don’t think this article has anything to do with the GDPR at all. Opt-in for e-mail marketing is regulated by the e-Privacy directive.
Thanks for this explanation, I was eternally grateful not to have to deal with this stuff when it was coming along the pipe.
That would’ve caused a lot of companies to start selling/acquiring their marketing data like crazy, in order to be “grandfathered in”
Haha — indeed. Everyone was happy with the deal in this case. :-)