Views and Opinions from our Marketing Experts
GDPR for Marketing Professionals
GDPR for Marketing Professionals - Part I - DATA, Produced in consultation with Sevin Cyber Security
Sign up now for these useful insights
Part I - Questions on Protecting Data
Q: Do I have to work out what data I have, where it is and how I'm using it e.g. data collected on the website, SaaS systems - how could I map all that?
A: Sorry to say, yes if you have any data that relates to an identifiable person or could help to identify a person, you must be able to track it irrespective of how you obtained it. Remember, a person has got a claim on how you process his or her individual data, so you must be able to say how you process their data, and can accept their requests to limit your processing of their data.
Q: Where can I store data?
A: Well, strictly you CAN store data anywhere. If, however you plan to store data in locations elsewhere than the EU Member States, there must be evidence that the controls they (and their country's laws) apply the same principles as per the GDPR. This also applies to "Cloud" based technologies such as Amazon Web Services, Dropbox, Google Docs etc.
Q: How long do I need to keep it and is there a need for back-up?
A: You should really only keep data for the minimum amount of time that you need it, and that this period should be communicated to individuals who you store data about.
You don't strictly need to back up data, but you have a responsibility to ensure that you can respond to any individual about data stored about them. If you've lost or cannot find that data you will find yourself in breach of the Regulation for those requests. In addition, if you delete or lose data to the extent that you cannot identify a person, you should also notify that person to that effect (despite the paradox that causes)
Q: How do I need to protect data?
A: You can choose how to protect it, but there is the expectation that you will use "state of the art" measures to do so, and that your protections are based upon the risk, size of data, sensitivity of the data and potential impact to the freedom and livelihood of the individuals you store data about. Here it is best to take professional advice on what proportionate mitigations are.
Q: If I buy marketing list data in, what do I need to consider?
A: If this contains data that can be used to identify people, then there are a few things you must do:
- Protect the data as if you'd got it directly from the individuals themselves
- Notify all individuals in that data set that you've now been given the data, what data you've >been given and what your policies are for holding and processing data are, how long you will retain it, how you handle requests for processing restrictions, plus all the other GDPR obligations to individuals
- Check to ensure that any processing restrictions that were in place from the data originator (whoever gave you the data) also come along with the data
Q: What data can I NOT keep? e.g. IP address, personal stuff etc.
A: There are only a few special categories of data that you should not keep, and these relate to social issues and criminal issues.
For the criminal convictions and offences this can still be handled, but only with special authorisations or where required by particular rules of law
For social data, such as race, religion, philosophical beliefs, ethnicity (all defined in Article 9 of the Regulation), this shouldn't be held, but there are reasons when you can hold it such as; consent explicitly given, it is required by law, it is necessary to process it in order to protect the individual or it is already in the public domain (there are a few other caveats too)
Q: If my business only operates in the UK do I need to worry about GDPR?
A: The Regulation applies to any organisation that processes data relating to people who reside in EU Member States or are EU Citizens. In addition, the Data Protection Bill going through Parliament at the moment is codifying the EU GDPR into UK law anyway, so all GDPR Regulation rules will become part of UK Law even after the UK has exited the EU, hence this will apply to all UK Citizens even if they are not EU Citizens
Q: Do we have to have something to prove we've "forgotten" someone who has requested that their data stream be deleted forever?
A: In a way it is tricky to prove that you have not got something anymore, particularly in today's digital world. You should however have processes to ensure that data is erased, and that these process for protection should be reliable and auditable.
Sign up now for these useful insights