Continuing on our GDPR series this week we will be looking at the impact GDPR will have on legacy data.
What is Legacy Data?
We felt it only necessary to preface this article with a quick definition of legacy data in the context to which it is referred throughout.
Here legacy data is taken to be any existing data within an organisation that was collected before GDPR was enforced.
For example customer names, phone numbers & addresses etc. This data may have been collected lawfully under existing laws, however, the question remains, will it be possible to use such data once GDPR comes into effect on the 25th May?
The General Consensus
Consent will only be valid if it also meets the minimum legal requirements under GDPR: it must have been a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
According to the Head of Strategy & Intelligence for the UK’s Information Commissioners Office, no grace period will be afforded. Once GDPR comes into effect, data will need to be processed in line with the new standards and the processing of personal data will also be regulated. (‘Personal Data‘ means any data that relates to a living individual who can be directly or indirectly identified from that data and any other data that the organisation may hold about them. So, for example their name plus their contact details.)
In terms of meeting these minimum legal requirements of being “freely given, specific, unambiguous and informed,” here are our top 3 pointers:
Consent should not be a precondition of service. Therefore pre-ticked boxes will not be considered valid under GDPR. If users are or have been required to opt-out from receiving promotional emails when signing up to your service (i.e they had to untick a pre-ticked box), this will not be seen a valid method of consent. This should instead be replaced with boxes which your customer needs to tick (opt-in) should they wish for the specified processing to take place.
Consent must be provable, particularly in the case of an audit. If you do not possess a record that clearly states a user’s consent you could be found in breach. If you hold data on which you cannot provide basic information, such as when the consent was given, you will be unable to prove you have their consent should a complaint arise.
If you have been vague about what individuals were consenting to and if consent covered a range of processing activities that weren’t clearly defined, the consent you have won’t be valid under the GDPR.
A word of caution!
Be warned! After 25th May 2018, if a customer complains about receiving a marketing communication from you, this complaint could be escalated to the Regulator and you may be found to be in breach if you can’t prove you have adequate consent.
If consent was freely given, specific, unambiguous and informed it will be considered eligible under GDPR. Unsure? Then ask yourself the following in relation to your current/ previous method of data collection.
Was the data;
- Obtained and processed fairly (did your customer know what they were signing up to?)
- Kept only for one or more specified and lawful purposes (if you said you were collecting information only to improve your loyalty programme, is that the only thing you did with that data?)
- Processed only in ways compatible with the purposes for which it was given to you initially (did you use it only to improve your loyalty programme?)
- Kept safe and secure
- Kept accurate and up-to-date
- Adequate, relevant and not excessive (if the loyalty programme was email-based only, did you also capture mobile phone numbers?)
- Retained no longer than is necessary for the specified purpose or purposes (your loyalty programme has ended, but do you still have the data?)
- Given to any individual, on request, granted the data in question is personal data relating to the subject making the request.
If your company collects or stores any Personal Data on a computer or filing system it will be most certainly be processing that data and be subject to the data protection law under the Data Protection Regulation (DPR) & GDPR. Many existing concepts will remain intact so if you are already compliant you may already be well on your way toward compliance under the new regulation.
With the threat of legal action for non-compliance looming large it is important to get your processes and procedures in order, and there’s no time like the present! The days of getting a small slap on the wrist as the result of a breach are over. Companies can be fined up to €20 million or 4% of global turnover depending on the severity of the offence!
With such a significant increase in the stakes, matters regarding data protection should no longer be seen as the sole responsibility of the Compliance Department. Board-level leadership and company wide awareness must emphasise the need for all those involved in the collection or processing of personal data to do so in accordance with the correct policies and procedures.
Where to from here?
One way to ensure you can provide provable consent is to deploy a re-permissioning campaign. However there are still some considerations which need to be taken into account should you opt for this method. Namely, avoiding being in breach of current Data Protection Law whilst attempting to comply with the new one! If the grounds for collecting consent were a little murky to begin with, then you will need to tread carefully. The area of legitimate interest is also an area worth exploring.
Finally, according to the Data Protection Network safer alternatives to that of email, could be to include new permissions statements within postal communications, add permission pop ups for customers when visiting your website and/or to renew consent over the telephone with a GDPR compliant script.
If you have concerns on whether or not your legacy data is compliant with GDPR contact us at email@example.com or call +353 1 804 1298.