Problems with consent, purpose limitation, retention periods, and more
At the heart of the GDPR (General Data Protection Regulation) lie the Article 5 data protection principles.
When I asked data privacy trainer and DPO (data protection officer) Andy Snow which principle organisations are most prone to getting wrong, he found it hard to pick just one. In part, this is due to how the principles naturally interlink – an issue with one principle naturally leads to issues with (some of) the others, too.
Andy took the first principle as an example, saying:
You’d think organisations can get something as basic as ‘lawfulness, fairness and transparency’ right, but no!
There are often problems with the lawfulnessof personal data processing, largely due to over-reliance on consent. Organisations still don’t understand what consent actually entails.
I sat down with Andy to find out more. How are organisations failing to process personal data lawfully under the GDPR, and how can they address this while improving their day-to-day business operations?
Our conversation touches on some of the other data protection principles too, including purpose limitation and storage limitation.
In this interview
Business benefits of GDPR compliance
Lawful processing: not breaking other laws
Introduction
You say organisations misunderstand consent under the GDPR. Could you elaborate?
Suppose you have an organisation processing a million people’s data for marketing purposes based on consent. Accountability says you must be able to demonstrate that consent – but organisations frequently can’t.
And then we face the next problem. Out of that million [people’s data collected for marketing], when was the last time someone purchased something? Or even engaged with the marketing:
Within the last month?
Within the last three months?
Within the last six months?
Within the last year?
Few organisations can give me that breakdown.
Business benefits of GDPR compliance
Putting consent aside for a moment [we come back to it later], collecting that much data you’re not using seems counterproductive from a business point of view too.
Absolutely! Suppose the head of marketing reported to the board that the organisation is marketing to a million people. That sounds good – except that figure is incredibly misleading if only a tiny percentage engages with that marketing.
Sure, collecting more information technically means more business opportunity. But it also means more risk: if you suffer a data breach, the impact will be far greater.
More data also means more storage space, which tends to go hand in hand with a larger attack surface. In other words, it’s not just the potential impact that’s greater – you’re more likely to suffer a breach to begin with.
Not to mention how storage space costs money, both for hard-copy and digital information. That cost can grow exponentially when also accounting for backups.
Purpose limitation
What’s a clue that an organisation is processing too much personal data?
When you can’t point to a clear reason for storing or processing that personal data. [Principle 2 – purpose limitation.]
If you can’t point to one, that’s not just unlawful – it strongly signals that keeping the data serves no business purpose either.
This is what I like about the GDPR – if you adhere to its principles, you’re not just protecting people’s data, but also running your business better.
Can you give us a real-life example?
Visitor logs are a good one. What do you keep them for? What purpose do they serve?
Well, they’re generally used to account for who is within the building on a given day – in case of having to do a headcount if you had to evacuate the building, for example.
So, why would you need to keep those logs for any longer than that day? [Which many organisations do.]
Shouldn’t you keep visitor logs for the same time you keep CCTV footage?
Exactly. A couple of years back, I was on-site with a client. They had me sign a visitor’s book. They also took my picture.
Me: “Why do you need my picture?”
Client: “If we identify suspicious activity on CCTV, we can use those pictures to identify the person.”
M: “Excellent! So, how long do you keep your CCTV footage for?”
C: “We store it on a rolling 30-day cycle.”
M: “Fantastic. How long do you keep visitor pictures for?”
C: “We’ve got them going back to 2009.”
That stayed with me as the perfect example of people not understanding why they’re collecting data, how they’re using that data, or how long they should be keeping it for.
That said, this is just one reason for collecting this information. In specific scenarios, you may have to keep it for extended periods.
A good example might be that an incident had taken place, so you need to keep the footage and pictures from a specific period for longer – the duration of the investigation and possible court case.
Your retention periods can allow for leeway to your usual periods for these types of scenarios – you can set out the criteria for setting your retention periods as well as concrete time periods.
Either way, it comes back to data minimisation and purpose limitation: only collect personal data for a specific purpose, and keep it only for as long as necessary for that purpose.
Retention periods
Let’s come back to your earlier marketing example: an organisation has a massive marketing mailing list but only a fraction of people on it interact with that marketing.
Where do we go from there?
Your retention schedule should make clear when you’re archiving those records [assuming you don’t use them for other purposes] after some reasonable period. That might be six months, or perhaps a year.
At a minimum, your retention schedule should set out the criteria for setting the retention periods. [Also see the earlier explanation.]
What does ‘archiving’ mean in this context? And how long should it remain in the archive before the data is permanently deleted or destroyed?
If someone ends up on a marketing list, you may have already been processing their data for a different reason – most obviously, because they purchased something.
So, suppose that person opted out of marketing. You’d then no longer actively process their data, but you’d need to store their records to meet your legal and/or contractual obligations. That’s a form of archiving – storing personal data and safeguarding it with encryption, or another appropriate measure, but not doing anything else with that data.
You’d then destroy it once the retention period for that legal or contractual obligation runs out.
Can data be truly destroyed?
Most organisations will simply click ‘delete’, and not do additional storage media sanitisation, like overwriting it at least seven times to sanitise the storage media, or use a software solution that ‘shreds’ the data electronically.
But the GDPR is risk-based, and in many circumstances, such state-of-the-art measures wouldn’t be proportionate. So, someone just presses ‘delete’, then the data should be gone – including from backups – within a month of that deletion.
The key is to make the personal data unidentifiable, using the tools reasonably available. After all, it’s a criminal offence to attempt to re-identify de-identified data!
Coming back to retention periods, how can an organisation establish a “reasonable” retention period?
Organisations must ask themselves: when do we say ‘enough is enough’? Where do we draw that line in the sand and stop contacting this person? When does it become clear that they’re not going to respond, and we’re wasting time and resources by trying to contact them again?
The exact moment depends on the organisation. What type of product or service are you trying to sell? If you’re a luxury retailer, or selling high-ticket items like fridge freezers, your expectations are different to an organisation that sells, say, monthly subscriptions.
What other problems do you see around data retention?
One classic scenario is what you do with the data of someone who leaves an organisation. You’ll then archive the record – but what part of that record?
The trouble is that organisations treat personal data as a ‘bundle’, rather than look at the individual categories of data.
For example, unless you had to use the person’s emergency contact details while they were employed, you can likely destroy that part of their record immediately after they leave. You no longer have a reason to keep that data.
Finding this interview useful? To get notified of future
Q&As and other free resources like this, subscribe to
our free weekly newsletter: the Security Spotlight.
Lawful bases
We’ve touched on the reasons for, or purposes of, processing a few times now. Of course, these link closely to the lawful bases. The basic GDPR rules around them seem reasonably straightforward: you need to be able to rely on one of the six lawful bases to process personal data lawfully.
So, where do problems arise?
People don’t understand that the lawful bases are not an open-ended ticket – they need time limits. They need relevance [i.e. purpose limitation].
You need to know what your legal and contractual requirements are for data processing and retention. Beyond that, you need to understand what you need the data for.
Let’s take a basic example: an employment contract.
When you employ someone, the contract will say you’re processing personal data to fulfil your contractual obligations. Upon termination of that contract, the lawful basis changes. At that point, you’re keeping the personal data for six years to meet a legal obligation.
Some organisations might extend that to seven years, but that means you have to change the lawful basis again at the end of the sixth year: to legitimate interests. And you’ll have to show you can justify that legitimate interest through your LIA [legitimate interests assessment].
Again, understand the lawful basis you’re relying on and its limitations. Whatever the purpose for processing, it needs to come with a life span appropriate to that purpose.
Consent
Speaking of lawful bases, let’s come back to consent.
The ‘typical’ requirements of consent aside [see above], must consent also be refreshed? And is there a link with appropriate retention periods, when processing personal data for marketing purposes?
Refreshing consent isn’t an explicit GDPR requirement – you either have consent or you don’t. The ICO was clear about that in the early days of the GDPR, and said something similar about the PECR [Privacy and Electronic Communications Regulations 2003].
This includes the time-limit aspect. Once your retention period is hit, you no longer have consent – it’s not a grey area. You must then either archive that data or get new consent.
That means asking the person if they want to receive marketing on XYZ – remember, consent must be clear, informed and given for a specific purpose to be valid.
What happens if one person in an organisation withdraws consent for marketing? Would you then be able to market to others within that same organisation?
Yes – the consent is for that individual, not for the overall organisation.
Equally, if you’re about to approach a new person in that organisation, and someone else has already objected to marketing, you can still ask this other person for their consent.
That said, be aware of the CTPS and FPS [Corporate Telephone Preference Service and Fax Preference Service]. These are central UK registers for businesses to opt out of unsolicited marketing phone calls and faxes, and apply to all employees within the businesses listed.
So, before you make cold calls [or send cold faxes], check those registers.
What else must marketers be aware of around consent and the GDPR?
If you buy a marketing list, and email the people on that list, people may opt out of marketing from your organisation.
Suppose that, a few weeks or months later, you then buy a new marketing list that has some duplicate email addresses with the first list. Make sure you don’t email those people again by putting them on a suppression list.
Lawful processing: not breaking other laws
We’ve talked a lot about the lawful bases under the GDPR. What about the other sense of ‘lawful’ processing [under the first data protection principle] – not breaking any other laws?
The EU GDPR was designed to integrate with EU laws, so you won’t get conflicts there. And although the UK has now left the EU, we haven’t seen too many differences between UK and EU law post-Brexit – at least, as far as data privacy and data processing go.
But the further afield you go, the more problems you might run into – I gave an example of that in my blog about international transfers. [A large Saudi Arabian organisation is prevented by national law to report data breaches outside Saudi Arabia.]
In a nutshell, the stricter requirement will always apply. That’s typically been the GDPR, particularly within Europe. However, we may see more divergence as the Regulation ages, and more new laws with stricter requirements than the GDPR emerge.
Get to grips with the key GDPR requirements
Our one-day Certified GDPR Foundation Training Course, delivered by an experienced practitioner like Andy, equips you with the practical knowledge and skills you need to ensure compliance with the GDPR.
What’s more, it’ll give you the knowledge and skills you need to thrive in a data-driven world.
Gain real-world insights and practical examples that bridge the gap between theory and practice.
Our interactive training sessions and hands-on exercises provide you with the tools needed to implement GDPR principles effectively within your organisation.
Don’t take our word for it
Here’s what our customers say:
Michael:
Excellent course with an excellent instructor. As others have mentioned, it is a lot of information. However, this is delivered in the most accessible and engaging way possible. Opens doors to the next level and does a good job of putting attendees on that path.
Would highly recommend.
David:
Delivered well – must have been, as I passed easily! It’s a dry topic but the instructor got us through the day well and set me up nicely for the DPO course that followed.
About Andrew Snow
Andrew ‘Andy’ Snow is a GDPR DPO with extensive public- and private-sector experience in regulatory compliance, privacy compliance framework development, and other areas relating to data protection, having worked in the field since 1998.
He’s also an enthusiastic data privacy and cyber security trainer, consistently receiving high praise from course attendees – in particular, for his engaging delivery style and plethora of real-life examples. Andy has supported the career development of more than 4,000 people on the GDPR alone.
Previously, we’ve interviewed him about GDPR accountability, ROPAs (records of processing activities), GDPR Article 28 contracts and streamlining GDPR compliance. Andy has also written about international data transfers under the GDPR.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter.
Alternatively, explore our full index of interviews here.
The post How Organisations Are Failing to Process Personal Data Lawfully Under the GDPR appeared first on IT Governance UK Blog.
