<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

GDPR: Seek re-consent or burn your contacts database, really?

Posted: 07 March 2018

GDPR PECR Seek Re-consent Burn Contacts Database

So, you've been told that you need to destroy your prized contacts database unless you can prove that you have consent to process the personal data of those that you store. Maybe you can send out communication asking those contacts to re-consent... but how many would? And what about the problems which Honda incurred by doing this?

What does the GDPR say?

With the DPD (Data Protection Directive 1995) and the PECR (Privacy and Electronic Communications Regulation 2003) largely ignored over the past decade, it has been the GDPR (General Data Protection Regulation), which has thrust this issue into the limelight.

Concerned with all things personal data, the GDPR requires that the processing of personal data be lawful, with lawfulness defined in article 6. There are six conditions upon which processing personal data is considered lawful:

  • Where the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Where processing is necessary for the performance of a contract.
  • Where processing is necessary for compliance with a legal obligation.
  • Where processing is necessary in order to protect the vital interests of the data subject.
  • Where processing is necessary for a task carried out in the public interest.
  • Where processing is necessary for the purpose of legitimate interests carried out by the data controller.

Note: The above has been shortened; you can refer to article 6 of the GDPR for the full text.

Without the ability to demonstrate consent for the processing of a data subjects personal data, you will need to seek justification in one of the other five lawful bases or enact that data subjects right to erasure and remove their personal data from your contacts database. One such method would investigate the viability of demonstrating legitimate interests, something which the UK's supervisory authority, the ICO (Information Commissioner's Office), have said could be used when processing for the purpose of direct marketing. While this may be the case, it is not an easy escape hole for the demonstration of lawful processing, as it requires you to consider whether or not your processing activity is balanced with the interests of the data subject; something you would be expected to document.

Consent may actually be the simpler option.

What does the PECR say?

You processing activities may be lawful under the GDPR, however if you wish you processing activity is for the purpose of electronic communication, as much as direct marketing is, then you will also need to consider the requirements of the PECR.

Let us focus on email communication.

For individuals, sole traders and partnerships are considered consumers and email communication is only permitted if one of two conditions are met:

  • They have explicitly consented to receiving email from you.
  • They are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent. This is known as a soft opt-in.

For companies such as limited liability and publicly traded companies, there are no such conditions, however you must still make the opt-out option available in each email; this is usually achieved through an unsubscribe button.

Take careful note of the case of Honda, who found themselves at the wrong end of the PECR and were fined £13,000. They had been sending emails to their contacts database asking for consent to continue processing in order to comply with the GDPR, yet could not show that they had the consent to be able to send such emails. There are similar examples available on your local supervisory authority.

The options based on GDPR and PECR

By now you probably would have noticed that there is a thin line to be balanced between the GDPR and the PECR. The bottom line is simple; you cannot process personal data under the GDPR without proving lawfulness and you cannot communicate under the PECR without meeting its requirements. Having one and not the other is unfortunate but one regulation does not supersede the other and you will probably be best cleansing your contacts database and improving your data collection methods.

Recently the ICO addressed much of the gloom surrounding the need to collect consent. Capturing the mood perfectly, Elizabeth Denham, the Information Commissioner at the UK's ICO said that while consent might not be the smoothest of methods for demonstrating lawfulness, it will lead to better engaged customers who are fully informed about their choices and more receptive the communications they receive.

Yes, your database may shrink substantially; but what it will be replaced with is much better.

Click to get a free, online GDPR readiness assessment for your organisation >>

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts