By Charles Oppenheim, Senior Consultant, Naomi Korn Associates
Photo by Dennis Kummer on Unsplash
No doubt every reader of this blog post will have received emails asking them to confirm they still wish to receive mailings, because of changes to the law introduced by the EU’s General Data Protection Regulation and coming into effect on May 25th 2018. I suspect in the vast majority of cases, these emails were not needed. Too many organisations are assuming GDPR means a massive change to their obligations, when in fact the changes introduced by GDPR to UK data protection law are modest. Organisations must make changes to the way they operate as there are more obligations to report serious data breaches, the maximum fines for breaches of the law have gone up, there is a need to build in “privacy by design” into operations, Privacy Impact Assessments are required, and many organisations need to appoint a nominated Data Protection Officer. But when it comes to the lawfulness of processing data, relatively little has changed. So, advice or instructions such as “all personal data must be deleted from emails”, “you must delete someone’s records if they have not responded to your requests to confirm twice”, “you must delete all records of people who have resigned”, “delete all electronic records, but manual records are OK”, “you are obliged to ask for permission before you can hold someone’s personal data” and the like (and I’ve seen all these, and more) are, quite simply, nonsense.
So let’s get the facts about when you may process, i.e., obtain, record, manage, structure, store, amend or delete, or disseminate personal data correct – and as I say, the law has hardly changed in this regard. There are six – yes, six – reasons why you are allowed to process personal data. Any one of them or more than one will be enough reason for an organisation to be allowed to process personal data. The six reasons, listed in Article 6 and explained in Recitals 28 – 50 of the GDPR are:
- The data subject has given their explicit consent – the one everyone seems to be hung up about. Permission should be explicit and unambiguous – with clear opt in preferences recorded and initiated. The fact that this has not necessarily been respected is why so many organisations are panicking now.
- The processing is necessary for the performance of a contract to which the data subject is a party – so, for example, if someone subscribes to a magazine, the publisher and/or distributor needs the subscriber’s details to send them.
- The processing is necessary for compliance with a legal obligation to which the controller is subject.
- The processing is necessary to protect the vital interests of the data subject – e.g., health records, so medical and dental practices do not need to ask for permission to keep patient records, for example.
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
- The processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party, unless such interests are over-ridden by the interests of the data subject.
Number 6 is the reason that is most likely to apply to organisations, rather than number 1. Thus, for example, a membership organisation can keep records of lapsed members so it can subsequently analyse why it is losing them (“we seem to be losing a lot of under-40s – maybe we should improve our appeal to them” is an example.) The law states that personal data should not be kept longer than is necessary, and of course that is a rather vague restriction, but organisations should be aware of how long they should keep records, e.g., for tax reporting purposes.
So please, everyone, don’t panic about the GDPR, and don’t buy into the myths. Having said all that, one good thing about the many emails coming your way is that it gives you a good excuse to not answer, or to reply saying you no longer wish to receive communication from the organisation, and thereby stop getting bombarded with emails and marketing stuff you’re not really interested in. A question is whether, after May 25th, organisations really do delete you from their mailing lists!
(c) Naomi Korn Associates, 2018, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence