GDPR Compliance

[Easy-X]

I'm sure we have some clever computer bods on here and I'm wondering if you could help me wrap my head around GDPR

I'm writing a POS integration for [unnamed slave drivers] and (as is usual) a long API contract awaits. Embedded in there is a "...we send you PII..." hence the mention of GDPR. Thing is we don't even need any of this personal information, we just want the sale items and the special code for the slave delivery rider.

I could quite easily ignore this personal information at the Cloud side but technically we're still being sent it. Is this enough to not worry about GDPR or am I going to need to write up some compliance spec on how we don't actually process anything?

There's no need for [unnamed slave drivers] to send us this info but technically the target site could do their own fulfilment, not that anyone does. If they did they'd probably have their own website or use Just Eat. Anyhoo, seems like the data centre hobgoblins are all "send them it anyway whether they need it or not!" which I thought GDPR was meant to put a stop to
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[Zen Dog]

It seems like you need the advice of a compliance specialist more than a computer one. I've got some GDPR experience but I'm not an expert (in this...or anything else to be honest).

But it seems to me that your issue comes down to - If you are being sent personal data, but you don't access it or store it, are you still a data processor in the GDPR sense?

If you're not, yay. If you are, well it's time to open the GDPR can of worms. I suspect the answer will be that you are a data processor, but it's definitely worth finding out for sure, because if you're not you're going to save a lot of effort.

This may or may not be helpful - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/controllers-and-processors/how-do-you-determine-whether-you-are-a-controller-or-processor/
____________________
Current - '94 VFR750FR, '00 VFR800FI Previous - '10 Street Triple R, '92 MZ ETZ301, '05 TTR250, NSR125R, KMX125, "Honda" Win (chinese copy of an old Honda design with a C90 engine)
My bike trip around S.E. Asia 2010/2011

[Easy-X]

Thanks, there seems to be loads of info on what to do if you are a controller or processor to the point where it drowns out any meaningful discussion on edge-cases. Maybe this is the intent to keep compliance officers in a job
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[Islander]

That's an interesting one.

If they're sending you personal or special category information as a part of a system development (presumable for testing purposes?) when they don't need to then they're in breach. If it IS for testing purposes then they're really in breach as all development/testing data should either be dummy data or anonymised to the extent that it's impossible to identify an individual from that data. If you accept that data then your head is on the block too.

If it's all legit then you have Data Protection (not just GDPR) responsibilities.

Speak to a Data Protection specialist.

[Easy-X]

Just had a deep dive into the API specs and regardless of fulfilment type we will apparently be getting First Name , Last Name and an "anonymised" phone number. (I assume this number runs through some sort of proxy dialler that forwards the call on.) Only restaurant fulfilment hands out the punter's address, phew!

Is First Name , Last Name enough to trigger the need for all this GDPR & Data Protection stuff?

<edit> just been informed we don't get the last name, even better! I think I panicked a bit too much, sorry guys
____________________
Husqvarna Vitpilen 401, Yamaha XSR700, Honda Rebel, Yamaha DT175, Suzuki SV650 (loan) Fazer 600, Keeway Superlight 125, 50cc turd scooter

[Islander]