GDPR: too good to be forgotten

We’ve all received emails we don’t want – regardless of whether they’re relevant or not. Normally, it’s just a case of scrolling down and clicking the “unsubscribe” link and as long as the company sending the email is responsible then you won’t hear from them again. Some people wrongly assume that clicking an unsubscribe link will delete you from that company’s database and in fact under article 16 of the GDPR, there is a “right to erasure” which is sometimes known as the right to be forgotten. Unfortunately, this right can’t be applied in these circumstances because there is another law which prevents companies from emailing people who have opted out of marketing communications. That law is called the “Privacy and Electronic Communications Regulations” (frequently known as PECR) and because of that, any company that you have opted out of marketing communications from has a legal obligation to maintain a record of that on their suppression list and a legal obligation is one of the reasons that the right to erasure can be denied.

This is something that FlyBe, Honda and Morrisons all know too well as the ICO found them in breach of PECR in 2017 for emailing people who had previously opted out of marketing communications and fined them a total of £93,500!

The other thing to remember is that GDPR says consent must be as easy to withdraw as it is to give. So you need to make sure that your unsubscribe mechanisms are as easy as possible and crucially – are working correctly. I see plenty of poor unsubscribe mechanisms that ask me to enter the email address they sent the email to but most email clients don’t make it easy to find that out and if you have multiple email addresses it can be very frustrating. Finally, make sure you’re archiving the list of unsubscribe requests somewhere safely because if you rely on an online platform to manage that for you and they get it wrong and lose the list then you will be the one the ICO comes for if you email people you shouldn’t!  

GDPR: Reasons to be Lawful

There are six lawful reasons to store and process data. I covered one – ‘legitimate interests’ – in my last blog so I thought the next obvious step would be to explain the other five.

Read more: a matter of consent.

I’ll start in order of least general relevance to the majority of the conference industry, so we can quickly get the less interesting ones out of the way, and focus on the more relevant reasons. I’ll also use the terms set out in the act to avoid confusion:

1. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; it would be in the public interest for the Police to keep data pertaining to an individual’s criminal record for example. The ‘right to be forgotten’ is not an absolute right in this case!
2. Processing is necessary for compliance with a legal obligation to which the controller is subject; it may be a legal requirement for a company to keep data relating to a person’s financial transactions – for accounting for example.
3. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;it’s perfectly acceptable to keep data relating to someone who you are starting a contract with, or that you are hoping to start a contract with. This could relate to a non-financial contract too.
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person; the operative words here are ‘vital interests’, meaning that it is perfectly legal to process data that could make a difference to the data subject. There isn’t yet an official definition of ‘vital interests’ but you can assume ‘life or death’ as safe. This reason becomes applicable to events because it means that you can quite legitimately store data that relates to a person’s allergies, relevant medical issues or their disabilities. This also brings up the fact that the data you hold on one person could be legitimately processed under different sections of this act. For example, you could hold a person’s name and contact details under ‘legitimate interest’ and their dietary requirements under ‘vital interest’. It could also mean that you may need to keep parts of their data for longer periods than others. For example, you may have no justification for keeping their dietary requirements, but can keep contact details so you can market to them for another run of the same event. Each of these different reasons for processing their data, and your desired retention period needs to be clearly stated in your privacy policy – but we will cover that in a future blog.
5. The data subject has given consent to the processing of his or her personal data for one or more specific purposes; this is the one that has alarmed everyone. As I have said before, if you can use any of the other five reasons for storing data, then do so. Do not go down the route of asking consent unless it is your only option.

If you do need to ask for consent, then you have to make sure that you ask for it clearly and on a granular level. Article 7 covers the conditions for consent and they are listed on page 17 of our GDPR white paper, which you can view here.

This option is very relevant when asking delegates to register for an event. I can categorically state that your event registration form will have to change under GDPR. When collecting data, consent has to be asked for in a clear and concise manner and not buried deep within the small print. Specific questions need to be asked; you cannot simply bundle consent into one ‘catch all’ statement that simply states ‘marketing’ – you must separate multiple purposes and reasons for using their data into different questions.

You also cannot dictate that consent is part of the deal – for example, that the subject is only allowed to enter an event or receive goods if they give their consent to receiving your newsletter – something you might be able to do if you were only using legitimate interests.

A data subject must give consent in an affirmative nature – i.e. they have to actively say yes, rather than simply not saying no. Equally, pre-ticked boxes that the subject has to untick are not allowed.

You also have to be able to prove that your data subject gave their consent and document exactly what they consented to. In 2016 Honda was fined £13,000 for marketing to people whose data was fed into their central database by their dealers. The dealers may have got permission to use the data, but mandatory fields were not filled in so they could not prove that they had specific permission to do so although interestingly, this was under Privacy and Electronic Communications Regulations (PECR) rather than GDPR so don’t think that just being GDPR compliant is enough!

Consent policies can change over time and so you must keep an audit trail of exactly what wording each data subject has agreed to. And obviously, you can’t change your policy and then assume that just because your data subject has agreed to a past policy that they give their permission for a newer one.

Consent relating to children’s data is a completely different matter and at the moment the acts around it are a little fuzzy as it’s written with information society services in mind (social media and the like). Thankfully it isn’t generally relevant to our industry, so we don’t need to worry about this.

It is important to remember that none of these reasons to store personal data are carte blanche to keep data indefinitely. You need to have a data retention policy that says how long you will keep personal data for – or at least, how you decide how long to keep the data for. More on that and also privacy policies in an upcoming blog.