Doanh nghiệp nhỏ thường xử lý DSAR/GDPR/CCPA ra sao? Nhiều startup chỉ quan tâm khi gặp khủng hoảng. Quy trình gồm xác minh danh tính, thu thập dữ liệu, che giấu thông tin nhạy cảm... nhưng nhiều nơi chưa nghiêm túc. Ví dụ: email privacy@ của dự án Product Hunt không hoạt động. Bạn xử lý thủ công hay qua email? Tần suất nhận yêu cầu? Cần đầu tư quy trình phức tạp ngay không? #GDPR #DSAR #QuảnLýDữLiệu #Startup #Privacy #CôngNghệ #BảoMật

https://www.reddit.com/r/SaaS/comments/1pj0uq1/how_are_you_

Hey loveliests  

We wrote a post back in June, which we recommend reading first for context if you aren't aware of the situation.

In short, the practice manager from our GP surgery emailed us this afternoon with a copy of the response from the local ICB. As expected, it was a "no".

"Regrettably, we cannot approve your funding request as there is no evidence to show this patient is likely to gain significantly more clinical benefit from Glottoplasty surgery than might be normally expected for the general population of patients with the condition or circumstance i.e. gender dysphoria and neurodiversity. Unfortunately, we are not able to take purely psychological issues into consideration."

It's not something we can afford privately or could save up for, for reasons we won't rehash. (We've written some longer update posts back in late April and late May.)

Our only remaining option now is a fundraiser, but we need to work out how to do so without needing to disclose our surname, since we can't have our alias identified with our full name  

#trans #transgender #VoiceTraining #VoiceFeminisation #VoiceFeminisationSurgery #VFS #VoiceDysphoria #NHS #NHSEngland #EOEGS #PALS #IFR #ICB #ICS #GDNRSS #GAHT #GDPR #DSAR #TransRights #TransRightsAreHumanRights #LGBTQ+ #LGBTQIA+ #queer #GenderAffirmingCare

Hey folks  

So, we're going to try to keep this post shortish for our own wellbeing and sanity, as well as yours.

We will, however, frontload some abbreviations and links:

• EOEGS - East of England Gender Service
• Gender Clinics
  • Aka GIC (Gender Identity Clinic) or, solely by the NHS, Gender Dysphoria Clinic (GDC)
• IFR - Individual Funding Request
• ICB / ICS - Integrated Care Board / System
• GDNRSS - NHS Gender Dysphoria National Referral Support Services
• GAHT - Gender-Affirming Hormone Therapy
• FFS - Facial Feminisation Surgery
• VFS - Voice Feminisation Surgery
• GP - General Practitioner
• PALS - Patient Advice and Liaison Service
• PHSO - Parliamentary and Health Service Ombudsman

We have already written up about some of our early experience of trying to get gender-affirming care from the NHS in an article for TransActual, but that was published back in October 2023, so it's more than a little outdated now 😅

Back in August 2023, we knew it was possible to request funding for gender-affirming surgeries not routinely covered by the NHS via IFRs. These are submitted to your local ICB, who will likely refuse funding unless you've made a really good funding case.

(It's worth noting here that such gender-affirming surgeries are recommended by WPATH's SOC8: the NHS just disagrees and refuses to follow the international recommendations.)

Nonetheless, we mostly just wanted the chance to put our case forward for VFS. A standalone bilateral orchidectomy and FFS were there, but as lower priorities, since it was our voice causing us the most issues.

(We won't list all of our voice dysphoria issues here, but basically we've been doing voice feminisation training since December 2021 and we're nowhere near even the lowest-end voice goals. Our voice leads to us getting regularly misgendered both on the phone and even in person 😞 We've done our genuine best for years and VFS is very much our last resort.)

We are going to give selective details of what's happened since, but we'll first cut to key points: the EOEGS (our gender clinic) has been refusing to comply with their responsibilities for approaching 2 YEARS and no-one within the NHS will hold them to account.

First they denied responsibility for IFRs and tried to say it was our GP's responsibility. So, we went to our local ICB to ask them and got given the details for the NHS England IFR team, who told us -- in no uncertain terms -- that it was the responsibility of the EOEGS to submit these for us. That was back in very early 2024.

We forwarded this to the EOEGS, and then followed it up with them at our 3rd appointment (Q1 2024). They still denied responsibility, so we forwarded on the proof again. And waited. 3 months later (Q2 2024), we chased... and waited again.

Near the end of Q3 2024, the EOEGS finally wrote up the notes from the 3rd appointment (~6 months ago), and mailed them to us and our GP in the post (no digital copy or email)... with multiple factual errors  🤦‍♀️

So, we scanned the letter, turned it into a PDF, then highlighted and corrected all the errors. We then politely emailed it across to the EOEGS, CCing in our GP, along with a clear restatement of outstanding issues and requests.

As the quarter ended, we got an offer of a 4th appointment (more surgical referral gatekeeping nonsense) next quarter. Then silence, yet again.

Q4 2024 came around. The EOEGS claimed that the IFR issue was still with its "service lead". We raised it at the 4th appointment. No answers. Only further promises to look into it and get back to us.

As 2024 ended, we went back to the NHS England IFR team. They confirmed once again that our gender clinic was shirking their responsibility over IFRs. So, we chased the EOEGS for the last time that year. No response ever came.

As we moved into 2025, we reached out to GDNRSS to ask for guidance and help. They responded quickly, but advised that the only thing we could do was to raise a complaint with PALS.

So, that's what we did, CCing in the EOEGS, and made it very clear that this was only being done as a matter of last resort.

By now, as you can imagine, we weren't expecting anything great. However, we hadn't been mentally prepared for the combination of incompetence, lack of reading comprehension, and institutional malice that followed.

They'd send us a complaint response that didn't show any understanding of our complaint. We'd go back and clarify the issues again, and suggest a call to discuss it. They'd investigate more, say that they'd pass along our request for a call, delay the response, and then send another one which again failed to address the core issues.

By Q2 2025, we reached the point where they refused to take the complaint forward any further, and just directed us to the PSHO, which is very much biased towards whatever the current government wants.

In other words, we'd run out of options to hold the EOEGS accountable 😞

NGL: in combination with multiple other factors, this kind of broke us, and we simply had none of the time, energy, spoons, or motivation to follow up any further.

After a few weeks, however, we decided on 2 last-ditch options available to us:

On the 1st point, the ticking clock for that started just a few days ago. Officially they have 1 calendar month to comply, but can request up to 3 calendar months if the request is deemed complex. We are under no obligation to agree to this as the data subject.

On the 2nd point, the senior partner had a call with us over the issues, then asked whether we could compile all the info on everything for him. We said it would be difficult for us, but agreed, so he booked a follow-up appointment for us on 2025-06-09 (yesterday).

NGL: going through all the emails and documents again, then summarising them into a chronological sequence of events, was very, very difficult for many reasons, but primarily because it meant going back through everything and reliving the cumulative trauma of it  

Nonetheless, we finished compiling it all just a couple of hours before the appointment. A "summary" document that spanned 4 sides of A4 and all the relevant "receipts" (digital documents like emails and PDFs), covering from August 2023 to June 2025.

Whilst the senior partner said it will take him time to go through it all, the key thing is that he agreed to submit the IFR for us.

It honestly made us teary just to have someone actually care enough to truly listen and be willing to discuss it with us  

Of course, this is just the beginning of another long, drawn-out process. It's likely going to take at least several weeks until we even get to the stage of working together to put together the best case possible, let alone getting the IFR submitted. It could even be months.

Even when it's submitted, it'll then be up to our local ICB to review the submission, and they will almost certainly find a reason or reasons to deny the application.

We're still not expecting this to succeed. We just wanted to have the chance to have at least one request submitted and reviewed.

The EOEGS and other NHS departments spent a level of magnitude more time, energy, and resources denying us the right to even consider submitting IFRs for us because, we suspect, they didn't want to set a precedent of trans patients in England utilising their rights.

Or maybe just because they didn't want to comply.

Whatever happens with the eventual IFR submission, at least we'll have tried every way we can think of to get the NHS to fund a basic gender-affirming surgery that would massively improve our daily quality of life.

If by some miracle the IFR is approved, it'll give us and maybe others a small glimmer of hope.

But realistically-speaking, at least then we can create a fundraiser for VFS with a clear conscience that we tried everything else we could first 🥺

If you got this far, thank you for reading this  Feel free to boost it, if you want others to read it too  

#trans #transgender #VoiceTraining #VoiceFeminisation #VoiceFeminisationSurgery #VFS #VoiceDysphoria #NHS #NHSEngland #EOEGS #PALS #IFR #ICB #ICS #GDNRSS #GAHT #GDPR #DSAR #TransRights #TransRightsAreHumanRights #LGBTQ+ #LGBTQIA+ #queer #GenderAffirmingCare

California passed a DELETE Act: summary of the "old" federal bill and brief summary of how this bill will be applied.

California passed a law that would give consumers an easy singular interface to opt-out of processing by data brokers and require them to delete your data. Neat stuff, if it works. There's a lot of overlap between this and what we've been building with the Data Rights Protocol and I'm excited to see those overlaps pursued.

Today we tagged a new version of the Data Rights Protocol, a new “common denominator” for data rights interchange.

Over the coming months we’ll be integrating it in to Consumer Reports’ Permission Slip and a number of #privacy / data management middleware providers will be integrating it for their customers to provide a simple unified messaging protocol for communicating #datarights requests like data sale #optout, deletion portability and #DSAR between end users and businesses through this ecosystem of authorized agents and privacy infrastructure providers.

This work will stream-line data rights access for consumers and businesses by moving the cost of identity verification to a one-time action performed by Agent applications, and provide a simple taxonomy for companies to automate their data rights pipelines around.

The system we’re designing operates more like a network of notaries than any sort of self-sovereign hardware-crypto backed decentralized identity system that folks on the Fediverse may be excited by, but this has been designed to target the technology that average consumers and businesses are accessing today while leaving the door open for more exciting technology down the line. It’s JSON, HTTP, and libsodium.

Without regulatory intervention a system like this will never be comprehensive – there is little reason for the nastier data brokers in @[email protected] ‘s BADBOOL to implement a DRP interface, but for companies that respect consumers DRP would be a slick part of an automated Data Management/Access/Deletion system that would be cheaper and more resilient than paying a bunch of paralegals to look at blurry smartphone photos of ID cards all day long. With the California Attorney General's recent announcement that requests submitted by services like Permission Slip should be respected, it's natural for businesses and advocates to build systems that can scale these requests up to a society that wants them but feels disempowered to exercise them in a meaningful way. Data Rights are not going away and ignoring even these baseline rights isn't going to work out so well.

I’ve been really happy to work with @[email protected] on moving the DRP forward toward this 1.0 implementation vision, sharpening our safety/security focus, and building something which is informed by more than just my experience/scars serving DSAR and Portability requests at my last job.