Quick Guide to UK GDPR, Marketing and Cookies

January 2024

How UK GDPR and PECR go hand-in-hand

Most have heard of GDPR. However, data protection law existed way before this new kid arrived on the block in 2018. And let’s not forget in the UK, GDPR has an equally important cousin called PECR.

The UK’s Privacy and Electronic Communications Regulations (PECR) have been around since 2003 before the days of smartphones and apps. Organisations need to consider both UK GDPR and PECR when it comes to marketing and cookies.

Why marketers need to pay attention

There are more fines issued by the Information Commissioner’s Office (ICO) for falling foul of the PECR marketing rules than there are under UK GDPR. Under UK data reform plans, the amount the Regulator can fine under PECR could be set to increase substantially to a maximum of around £17 million. Currently the maximum fine under PECR is £500k. So it’s worth taking notice.

This is a quick overview, and we’d encourage you to check the ICO’s detailed marketing guidance and cookie guidance.

What’s the difference between UK GDPR and PECR?

In a nutshell…

UK GDPR

✓ Tells us how we should handle personal data – information which could directly or indirectly identify someone.
✓ Sets out requirements organisations need to meet and their obligations.
✓ Provides us with seven core data protection principles which need to be considered whenever we handle personal data for any purpose, including marketing.
✓ Defines the legal standard for consent, which is relevant for direct marketing
✓ Gives people privacy rights, including an absolute right to object to direct marketing.

One of the principles is that processing of personal data must be lawful, fair and transparent. This includes making sure we have a lawful basis for our activities.

PECR

✓ Sets out specific rules for marketing to UK citizens, for example by emails , text messages or conducting telemarketing calls to UK citizens.
✓ Sets out specific rules when using cookies and similar technologies (such as scripts, tracking pixels and plugins).

PECR is derived from an EU directive, and EU countries have their own equivalent regulation which, whilst covering similar areas, may have different requirements, when marketing to their citizens.

We’ve written about the specific rules for email marketing and telemarketing here:
UK email marketing rules
UK telemarketing rules
The ‘soft opt-in’ – are you getting it right

How do UK GDPR and PECR work together?

Direct marketing

Marketers need to consider the core principles of UK GDPR when handling people’s personal information. Furthermore, they need to have a lawful basis for each data activity. Of the six lawful bases, two are appropriate for direct marketing activities; Consent and Legitimate Interests.

Consent: PECR tells us, for certain electronic marketing activity, we have to get people’s prior consent. UK GDPR tells us the standards we need to meet for this consent to be valid. Consent – Getting it right

Legitimate interests: If the types of marketing we conduct don’t require consent under PECR , we may choose to request consent anyway, or we could rely on legitimate interests. For example, marketing to business contacts rather than consumers.

Under GDPR, we need to be sure to balance our legitimate interests with the rights and interests of the people whose personal information we are using – i.e. the people we want to market to. ICO Legitimate Interests Guidance 

What about cookies?

PECR requires opt-in consent for most cookies or similar tech, regardless of whether they collect personal data or not. And we’re told this consent must meet the UK GDPR standards.

In simple terms, the rules are:

✓ Notify new users your website/app users about your use of cookies or similar technologies and provide adequate transparent information about what purposes they are used for.
✓ Consent is required for use of cookies, except a narrow exclusion for those which are ‘strictly necessary’ (also known as ‘essential’ cookies).
✓ Users need to be able to give or decline consent before the cookies are dropped on their device and should be given options to manage their consents at any time (e.g. opt-out after initially giving consent).

Changes are on the cards

The Data Protection and Digital Information Bill is currently progressing through Parliament. It’s not law yet, but if passed will usher in some changes to both UK GDPR and PECR.

The core data protection principles aren’t going away, nor are the lawful bases under UK GDPR, nor the rules for email marketing, text messages and telemarketing. However one proposal could see charities being able to take advantage of the soft opt-in for email/text marketing. What could the marketing ‘soft opt-in’ mean for charities?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Our data, tech and the app-ocalypse

January 2024

In 2013, after Edward Snowden leaked thousands of secret files, the Kremlin’s security bureau did something interesting. They swapped computers for manual typewriters. Russian spooks reasoned hard copies were easier to protect than digital files. Furthermore, hackers might be able to infiltrate sensitive systems, but the old-school art of safe-cracking? It seemed to have fallen by the wayside.

As I get older, I’m beginning to think the Kremlin might have been onto something. Why?

Maybe it’s a generational issue. I’m Gen ‘X’. I grew up without mobile phones or the internet, but became familiar with the technology as it developed from the 1990s onwards. I enjoy technology. I respect it. I’m also, however, sceptical in a way many of my Millennial and Gen ‘Z’ colleagues may not be.

For me it boils down to two concerns – trust and over-reliance . Given how there’s now an app for everything, I have to ask – is the App-ocalypse Nigh ? What happens to the increasingly personal and intrusive levels of personal data entered into these ‘everything apps’.

Just because data’s aggregated into zeros and ones, it doesn’t mean it’s ‘tidy’. In fact, I suspect too many digital ‘data warehouses’ resemble the hoarder’s houses you might have seen on daytime TV, with stuff scattered everywhere.

It’s not just apps – the endless requirement to populate online forms is relentless. Now I hear more ‘frictionless facial recognition’ is planned at airports in the UK and elsewhere. And it’s making me uneasy. Technology is wonderful for creating efficiencies and streamlining processes. In my world alone, I see how clever privacy technology solutions ease the burden of data protection compliance.

But is technology always wonderful? Why am I uneasy?

An example – I needed to renew my driving licence. I went on to the Government website and duly entered a great deal of sensitive data. This included my passport number, my mother’s maiden name, my date of birth, my home address and my National Insurance number. This started me thinking… ‘How secure is this platform? What are the Government really doing to prevent my data falling into malicious hands?’

At the other end of the scale, I needed to reschedule a beautician’s appointment (much needed after eating my body weight in chocolate and cheese over Christmas). My call was met by a recorded message. I duly pressed ‘2’ to cancel/change an appointment. I was then informed I must (yes, they did say must) download the app to cancel/change appointments. A look at the app’s privacy information didn’t fill me with confidence, so I rang again, selecting ‘3’ for all other enquiries. After ten minutes of listening to promotions about fantastic rejuvenating treatments, I gave up. What if I prefer not to be forced to register and share my personal details via your app? I’m getting a face treatment, not applying for a pilot’s licence!

At this point, a shout out to the Kennel Club’s customer service. I took out their insurance for my puppy this year. They’re great. I’ve had to call twice, and each time a prompt pick-up from a lovely human. Somewhat of a rarity these days.

I recently read EasyPark Group, the owner of brands like RingGo and Park Mobile, were hacked. Yes, like many others I have RingGo. I was forced to download the app to use a station car park – there was no choice. I also have other parking apps. Oh the joys of standing in the rain in a car park trying to download yet another parking app. Handing over my data to yet another company. Will these companies protect it? What security measures and controls do they have? Did they conduct a DPIA? Was it outsourced to an app developer, possibly outside the UK/EU? Did they do any due diligence?

As well as my fears around data, I also worry for the significant minority disenfranchised by the widescale embrace of what my colleague Simon calls the ‘Mobilical Cord’. It’s so very true – I’m unable to properly function without my smartphone implanted in my paw. I use it to access the internet, my emails, messages, banking and so on. It’s also a crucial part of our company security – to authenticate I am really me.

The 2021 UK Census showed 90% of households had a home computer. 93% had access to a mobile phone. I suspect it’s higher now, but it’s still not everyone. As of 2023, according to research by Statista 98% of 16-24 year olds have a smartphone. However, this drops to 80% for the over 65s. Less tech-savvy and particularly the elderly are being left behind. My mother is 84. I got her a smartphone, but she hates it and doesn’t understand it. Apps? An enigma. She’s also terrified of online scams, knowing how the elderly are disproportionately targeted.

So, now we also face the prospect of passport-free travel. UK Border Force is set to trial an e-gate schemes similar to those rolled out in Dubai and Australia. This negates the need to show a passport, instead using facial recognition technology (FRT).

Phil Douglas, the Director General of Border Force has said “I’d like to see a world of completely frictionless borders where you don’t really need a passport. The technology already exists to support that.” He added: “In the future, you won’t need a passport – you’ll just need biometrics.”

According to the Times the biometric details of British and Irish travellers are already held after being collected in the passport application process. What does Phil Douglas feel about our personal biometrics being potentially harvested by countries with dodgy human rights records?

Too many people will shrug – an end to lengthy queues? Yes please. But who controls my facial map? How will it be used? Will it be shared? How will it be kept secure? Facial recognition tech also raises issues of bias in algorithms, and the potential for mistakes, with serious consequences.

I suspect, one day, there’ll be the kind of disaster one sees in movies, where the Internet collapses for a significant period. What then? I also wonder if, eventually, ambulance-chasers will identify companies using apps to disproportionately harvest data – and playing fast and loose with the safeguards set up to protect us. Will this become the next big Personal Indemnity Insurance (PII) style business opportunity?

What I do know is businesses who put all their eggs in one basket without contingencies, or fail to anticipate risk, are those likeliest to suffer when the app-ocalypse (however it manifests itself) is nigh!

Now, did I mention AI…?

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The three foundations of good data governance

January 2024

People, processes and technologies

Creating a clear data governance strategy is crucial to making sure data is handled in line with your organisation’s aims and industry best practice.

Data governance is often thought of as the management process by which an organisation protects its data assets and ensures compliance with data laws, such as GDPR. But it’s far broader than compliance. It’s a holistic approach to data and should have people at its very heart. People with defined roles, responsibilities, processes and technologies which help them make sure data (not just personal data) is properly looked after and wisely used throughout its lifecycle.

How sophisticated your organisation’s approach needs to be will depend on the nature and size of your business, the sensitivity of the data you hold, the relationships you have with business partners, and customer or client expectations.

Benefits of good data governance

There are many benefits this activity can bring, including:

  • Minimising risks to the business, your employees, customers and suppliers
  • Giving your people clarity around expected behaviours and best practices
  • Embedding compliance requirements

A strong data governance approach can also help an organisation to make the most of their data assets, improve customer experience and benefits, and leverage competitive advantage.

Data governance – where to start?

There are three foundational elements which underpin successful data governance – People, Processes and Technologies.

Data governance people processes technologies

People

Engaging with stakeholders across the organisation to establish and embed key roles and responsibilities for data governance.

Many organisations look to establish a ‘Data Ownership Model’ which recognises data governance is an organisational responsibility which requires close collaboration across different roles and levels, including the delegation of specific responsibilities for data activities.

Here’s some examples of roles you may wish to consider:

  • Data strategy lead – such as Chief Data Officer / Chief Digital Officer
  • Data protection lead – such as Data Protection Officer (DPO), if you have one
  • Information security lead – such as Chief Information Security Officer (CISO) or Chief Technology Officer
  • Information asset owners (or data owners) – leaders of business functions / teams which collect and/or use personal data for particular purposes. Such as HR, Marketing & Sales, Finance, Operations, and so on.
  • Data specialists – heavy users of complex datasets, such as data analysts and data scientists.
  • System owners – the people who manage the key systems which hold personal data, such as IT managers.

Processes

Think about all the processes, policies, operating procedures and specialist training provided to guide your employees and contractors to enable them to handle data in line with your business expectations – as well to comply with the law. For example:

Without these in place and regularly updated, your people can’t possibly act in the ways you want and expect them to.

In my experience, success comes from keeping these items concise, and as relevant and engaging as possible. They can easily be forgotten or put in the ‘maybe later’ pile…  a little time and effort can really pay dividends!

Technologies

The technologies which underpin all data activities across the data lifecycle. For example, your HR, marketing & CRM, accounting and other operational systems you use regularly. Data governance requires those responsible for adopting technologies to ensure appropriate standards and procedures are in place which ensure appropriate:

  • Accessibility and availability standards
  • Data accuracy, integrity and quality management
  • Privacy and security

Looking at privacy technology in particular, the solutions available have really progressed in recent years in terms of both their capability and ease of use. Giving DPOs and others with an interest in data protection clear visibility of where the risks lie, help to prioritise them and pointers to relevant solutions. They can also help provide clear visibility and oversight to the senior leadership team.

The ‘Accountability Principle’

Data governance goes hand in hand with accountability – one of the core principles under GDPR. This requires organisations to be ready to demonstrate the measures and controls they have to protect personal data and in particular, show HOW they comply with the other data protection principles.

Appropriate measures, controls and records need to be in place to evidence accountability. For example, a Supervisory Authority (such as the ICO) may expect organisations to have:

  • Data protection programme, with clear data ownership & governance and regular reporting up to business leaders
  • Training and policies to guide staff
  • Records of data mapping exercises and processing reviews, such as an Information Asset Register and Record of Processing Activities
  • Risk assessments, such as Data Protection Impact Assessments and Legitimate Interests Assessments
  • Procedures for handling of individual privacy rights and data breaches
  • Contracts in place between organisations which include the relevant data protection clauses, including arrangement for restricted international data transfers
  • Data sharing agreements

Ready to get started?

If you’re keen to reap the benefits of improved compliance and reduced risk to the business, the first and crucial step is getting buy-in from senior leadership and a commitment from key stakeholders, so I’d suggest you kick-off by seeking their support.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data protection reflections and predictions

2023 highlights and what’s in store for 2024?

December 2023

What’s been most significant in the world of data protection in past year? And what do we think will be taxing our minds in the year to come? We’ve asked some friends to share their thoughts. Grab a cuppa, sit back and enjoy our musings.

Christopher Whitewood, Privacy and Data Protection Officer, Direct Line Group

2023 was the year that AI got real! AI moved from a debate among subject matter experts to becoming boardroom concern. The risks of AI have been widely publicised from your Terminator/Matrix doomsday scenarios, but many businesses have successfully deployed AI to streamline burdensome processes and generate efficiencies.

AI will remain a hot topic throughout 2024 and beyond. Organisations will need to consider how they can build privacy and security into model designs; explain any model deployments and ensure customer outcomes remain fair. Privacy professionals will need to develop their knowledge of AI to have meaningful conversations with interested business areas and aim to enhance their Data Literacy skills. Privacy support will be crucial to help design processes and governance that permit effective, but controlled innovation.

Businesses will need to keep a watchful eye on regulatory developments, following agreement of the EU AI Act and progress of the UK Government’s approach to AI regulation. 2024 will certainly not be dull!

Dominic Batchelor, Head of IP and Privacy, Royal Mail Group

Whilst the implications of AI will continue to feature prominently during 2024, the new year is also likely to bring first proper post-Brexit divergence of UK data protection laws from the EU. This is both in terms of the substantive changes proposed by the Data Protection and Digital Information (No.2) Bill – notably, the loosening of accountability requirements – and the UK’s potential establishment of ‘data bridges’ to countries the EU does not consider adequate.

How this impacts the UK’s adequacy from an EU perspective remains to be seen, but concerns are bound to be raised, with questions resurfacing about the need to bolster EU-UK data transfers. We should also expect the ICO to use any increased scope for issuing fines for PECR breaches and consequently for organisations to focus more on PECR compliance.

Redouane Serroukh, Head of Information Governance & Risk, NHS Integrated Care Board of Herts and West Essex

2023 has been a record-breaking year for GDPR fines with Ireland’s Data Protection Commission (DPC) leading the way with a whopping €1.2 billion fine after it found Meta to be in violation of GDPR when transferring personal data from the EU to the US. The DPC also found time to fine Meta €390 million earlier in the year, for falling foul of the requirements of consent for advertising. Meta was not the only company on the DPC’s radar, with TikTok also receiving a €345 million euros fine for its handling of underage users’ data.

Here in the UK, the ICO’s highest fine in 2023 was also handed to TikTok to the tune of £12.7 million for illegally processing the data of children under the age of 13.

The ten highest fines issued under the UK or EU GDPR have been focused on many of the tech companies with WhatsApp, Spotify and Clearview AI also making it on to the list. It would appear the regulators are not afraid to go for the big companies with equally big fines and are hoping that these will serve as reminders to other companies, big or small, that GDPR compliance is just as important as it has ever been.

Robert Bond, Senior Counsel, Privacy Partnership

For UK/EU to US transfers, we have had Safe Harbour, then Privacy Shield, and in 2023 we got the Data Privacy Framework and the UK Data Bridge. The EU and UK seemed to judge US as an adequate jurisdiction…. but Max Schrems and NOYB have other ideas.

Max Schrems, has said “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests.”

Personal data constantly moves internationally, and businesses need solutions. The EU Standard Contractual Clauses are influencing other jurisdictions such as the Middle East, South America, Africa and the Far East. In due course, we may get international data transfer conventions such as the OECD initiative, Data Free Flow with Trust (DFFT).

In my view the DFFT will be a major influence on a global solution, but I think we will see more bilateral agreements in the meantime. Also the EU is likely to speed up the “adequacy” approach, particularly as more and more countries are implementing GDPR-influenced privacy laws.

Sara Howers, Data Protection Officer UK, CGI

2023 has been a frustrating year, waiting to see what/when/if the UK Data Protection and Digital Information Bill (DPDI) will ever see the light of day. Now it’s going through yet another round, with some hat tipping to PECR changes and some AI musings. Until it’s finalised, who knows where it will really land with adequacy rulings, especially now there’s some discussion around revising Human Rights and Equality Bills.

Although, I’m sure most of us have briefed our Senior Management Team about the need for a SRI (Senior Responsible Individual) and how this might change the DPO’s numerous reporting lines (if we still have a DPO?).

The new ICO public listing of the cases their workers are dealing with is also somewhat frustrating. There appears to be no right to query their outcomes which are public entries, especially when you have evidence their conclusions may not be correctly attributed.

I’m sure I won’t be alone when I expect 2024 to be “all about AI”, and I also expect an uptick in Data Subject Access Requests. With many more questions around ADM (automated decision making) and what algorithms are making what decisions, means time for everyone to give their Privacy Notices an overhaul.

Michael Bond, Group Data Protection Officer – News UK

Back in the summer, I wrote personally to the Public Bills Committee about the DPDI No2 Bill (as it was then). I asked Government to really grasp the opportunity to innovate in the data protection space, rather than tinker about. I am now concerned, as I am sure others are, that government has not only failed to take the opportunity to show global leadership on data protection issues, but has in fact put information rights on the backburner in the UK. An opportunity lost.

Andrew Bridges, Data Governance Manager, Sagacity

I can’t believe we celebrated five years of the GDPR in 2023. I strongly believe the GDPR was needed at the time it became a regulation but, what still amazes me is how many organisations still grapple with their core understanding of regulation …yes, five years on!

As we enter 2024, we’ll now have supplementary amends created by the Data Protection & Digital Information Bill to contend with, so it looks like another year of grappling with regulations.

Oh, did I mention AI…. we will see rapid experimentation and initiatives in the AI space in 2024. Whilst AI has the potential to be a force for good, we must remember it does come with a warning to ensure it’s used in an ethical way so we don’t see a rise in risk to privacy and potential misuse of personal data.

Charles Ping, Managing Director Europe, Winterberry Group

2024 really looks like it’ll be the year when all the posturing stops, and privacy takes a leap forward with the deprecation of cookies on Chrome. My prediction is that the sky won’t fall in and the disciples of Chicken Licken will wake up to a world that still has blue above our heads, where digital media is still planned, activated, consumed and measured for brands wanting to reach customers.

However, when we reflect on the sometimes partisan arguments of the past 3+ years and the endless posturing to be the next “universal ID”, we will note that this discussion has been hugely important. The whole process of deprecation has fuelled a much wider understanding of the features that define privacy-enabled marketing and measurement. Three years ago, differential privacy, salting and confidential computing weren’t on many marketers’ agenda. They are now.

Importantly, we now have an evolution in the landscape where policy and regulation understands how data protection rules can be used to enhance and fuel market power and sets us on a future path, where privacy and competitive markets are regulated in tandem. That is progress.

Philippa Donn, Partner, DPN Associates

In 2023, I was struck by the ICO’s decision to make it UK ‘Year of the Reprimand.’ The ICO announced, controversially, public sector organisations will routinely receive reprimands rather than fines. Around thirty five reprimands were issued; mostly to organisations in the public sector, but some in the private sector too.

I appreciate fines are the ultimate sanction and act as a deterrent. Conversely, I understand how fining publicly funded organisations only serves to hit the public purse (in effect, taxpayers shelling out for mistakes made by civil servants).

What’s interesting is these reprimands are now published. Offenders are named, with details of errors made and remedies implemented. Rich learnings for us all. Some cases involved companies which suffered sophisticated cyber-attacks. Considering how devastating these can be, and the expense involved in fixing them and implementing changes, I see why a fine might not be the ‘answer.’ In the current economic climate, a financial penalty could lead to job losses or even push a company under.

As for 2024, I’ll be watching closely the fallout from the cookie warning letters the ICO recently issued to some of the UK’s most visited websites. Much of the free content we read online is dependent on advertising. Consent for tracking isn’t going to work; I predict either a stand-off with the ICO or more content being placed behind pay walls. Can trade-offs be made between advertising standards, the law and the risk of excluding those on low incomes from accessing quality online content, particularly journalism?

Simon Blanchard, Partner DPN Associates

There have been some dreadful data breaches in 2023, not least the breach by Police Service of Northern Ireland. It’s undeniable that breaches occur far too frequently. Yet even in these uncertain times of increased global cyber threat, ransomware, social engineering and so on…. the lion’s share of data breaches reported to the ICO still arise from human error; not bad actors! And most are preventable.

In 2024, let’s provide practical information security training to our teams and get to grips with minimising the personal identifiers our teams process outside the core systems (e.g. in Excel or Sheets), where our powers to protect the data may be weaker.

We’ll be sure to keep you updated throughout 2024 on the progress of the UK DPDI Bill, AI developments, international data transfers, the future of cookies and any other surprises along the way!

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing the right to erasure

November 2023

Ten tips to tackle erasure requests

What data should you erase? When can you refuse? And, on a technical level, how do you make sure everything is actually deleted, especially if held on multiple systems?

Fulfilling people’s privacy rights aren’t easy, and GDPR’s Right to Erasure can raise complex challenges. Add to this the tight timeframe to action requests, or bulk requests from third parties, and it can turn into a bit of a minefield.

We’ve got some tips to help navigate around the quicksand. But first, a little refresher on what the Right of Erasure means.

What is the Right to Erasure?

As the name suggests, a person has the right to request their personal data is erased from your systems if you’ve no longer have a compelling reason to keep it.

You may hear it referred to as the ‘Right to be Forgotten’. This stems from a decision in 2014 by the Court of Justice of the EU which recognised the right of EU citizens to request the removal of links to personal information on search engines.

GDPR took this ruling a step further and enshrined a broader right into EU law, taking it beyond the context of publicly available personal information. Under the post-Brexit spin-off, UK GDPR the right remains the same.

People have the right to submit an erasure request to any organisation operating within the UK/EU or organisations in other territories which handle the data of UK/EU citizens. It’s not an absolute right, and there are circumstances in which it can be denied.

When does the right to erasure apply?

You need to fulfil a person’s request for erasure in the following circumstances;

  • It’s no longer necessary for the organisation to hold onto the personal data of an individual for the purposes it was collected
  • They gave you their consent and now wish to withdraw this consent
  • You’re relying on legitimate interests as your lawful basis to handle their data, they object to this, and you have no compelling and overriding legitimate interest to continue
  • They gave you their details for direct marketing purposes and no longer want to receive communications. (You are permitted to keep a minimised record on a suppression file).
  • You’re fulfilling a legal ruling or legal obligation to erase the data
  • You’re processing a child’s data to provide information services (i.e. online services)
  • You’re handing their data unlawfully

The last point, a general ‘catch-all’, is a tricky one to balance, as there may be many reasons why personal data could be processed unlawfully.

For example, the handling of personal data might be considered unlawful if it’s inaccurate, or if necessary information about your processing has not been provided in a privacy notice.

When can you refuse an erasure request?

The right to erasure doesn’t apply when you’re holding personal data for the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation
  • for the establishment or defence of legal claims
  • to perform a task carried out in the public interest or when exercising and organisation’s official authority
  • for public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research or statistical purposes (where erasure would make this impossible or seriously impair your objectives)

Under UK GDPR there are two specific circumstances where the right to erasure doesn’t apply to special category data. Further information about these exemptions can be found in the ICO erasure guidance.

It’s also important to consider whether you have a contract in place with the individual, which requires the processing of their data, and the impact on this of the erasure request.

There may also be grounds for a refusing a request where you can justify it’s manifestly unfounded or excessive. See the ICO’s guidance on exemptions.

If you refuse to comply with a request, you must explain why and tell the individual they have the right to raise a complaint with the ICO (or other relevant supervisory authority).

There are many variables at play; each request needs to be assessed on a case-by-case basis. This is where the devil really is in the detail.

10 tips for handling erasure requests

1. Awareness

Someone can request their data is erased, either in writing or verbally. They might make this request to anyone in your organisation. So, everyone needs to know how to recognise this type of request, what to do if they receive one, who to direct it to and so on.
Awareness campaigns, training and easy-to-understand policies all play their part in getting key messages across to all staff.

2. Identity verification

You clearly don’t want to delete someone’s details unless you are absolutely sure they are who they say they are. Sometimes this will be obvious, but in other circumstances you’ll need to ask for verification of identity. However, if the deletion would have no negative impact on the individual, for example they are only on your marketing lists, you may feel asking for proof of identification is unnecessary.

When asking for proof of id only ask for the minimum amount of information necessary to confirm identity. Don’t accumulate more information such as copies of passports or driving licences, unless it’s justified, and remember to delete these too!

If a request is received via another organisation, make sure this third party definitely has the authority to act on behalf of the individual in question. The responsibility lies with the third party to provide any necessary evidence to prove this. Bear this in mind if you’re the third party!

3. Technical measures

Your customers might think deleting their data is as simple as clicking a button. If only it were that easy!

It can be difficult to locate, identify, assess and properly delete data – especially if it’s held on many different systems. You might hold records on emails, backed-up systems, on the cloud… all must be deleted.

Make sure your systems, applications and databases allow the easy identification and deletion of individuals. You may also need to assess the implications of deletion; it can impact on how different software works.

This is where the concept of Data Protection by Design really supports businesses. If from the outset of any new project or initiative you make sure you factor in managing individual data rights, it will make life much easier in the long run.

It’s worth reiterating – the right to erasure extends to deleting data from backups. However, the ICO recognises the inherent difficulties here and says, “the key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten.”

4. Timeline

You don’t have long to comply with requests, so keeping track of time is crucial. The request must be actioned without ‘undue delay,’ and in any case within one calendar month of receiving it.

You may be able to extend this by up to two months if it’s particularly complex. If you need to extend, make sure you tell the individual before the first month is up, giving them clear reasons for the delay – reasons you must be ready to explain to the regulator if necessary.

5. Who else holds their data?

The right to erasure doesn’t just apply to the records your organisation holds. You’re also expected to tell other organisations to whom you’ve disclosed the personal data.

Having a clear understanding of all your suppliers, any other organisations you share personal data with, means you can efficiently contact them and inform them of erasure requests.

You don’t have to do this if it would prove impossible or involves disproportionate effort. (But again, you must be able to justify this is the case).

6. Public domain data

The Right to Erasure also applies to personal data which has been made public in an online environment (‘The Right to be Forgotten’).
You need to be ready to take reasonable steps to inform other organisations who are handling the personal data; asking them to erase links to, copies of, or replication of the data.

What’s ‘reasonable’ will depend on available technology and the cost of implementation. This expectation scales with size; the bigger your organisation and the more resources you have, the more you’ll be expected to do.

7. Children’s specific rights

Children have special protection under data protection law, and the right to erasure is particularly relevant when a child has given their consent (or their parent/guardian) and at a later stage (even when they’re an adult) want their personal information removed, especially if it’s available on the internet. Baking in the ability to delete children’s information from the start is crucial.

8. Exemptions

It’s helpful to have a clear checklist of the exemptions that might apply. They don’t all apply in the same way, so be sure to examine each exemption on a case-by-case basis. The ICO exemptions guide is a good starting point.

9. Maintain a log

How do we delete someone, but also prove we have done it? Feels ambiguous doesn’t it?

You’re allowed to keep a log of erasure requests, actions taken and justifications for these. You need to do this to demonstrate compliance.
However, be sure to make sure this is kept securely and only keep the minimum amount of information necessary. I know some organisations who’ve taken the step of making sure this log is pseudonymised for extra protection.

10. Minimisation and retention

The right to erasure (and indeed other privacy rights, such as DSARs) can be less complex if we try to stick to two of the core data protection principles; data minimisation and data retention (storage limitation).

By collecting less data in the first place, using it in limited ways and only keeping it for as long as we need it, means there’s less data to trawl through when we get a request to delete it.

Sounds simple, less easy in practice, but worth the effort. Data retention guide

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK data reform – key proposals

November 2023

Data Protection and Digital Information Bill – what might be on the cards?

I was beginning to think the planned changes to data protection law may slip by the wayside, but with the Data Protection and Digital Information Bill (DPDI) being included in this month’s King’s Speech, there may be a concerted drive to try and get the Bill passed into law before the next election. It seems a good time to remind ourselves what might be in store.

The Government’s stated aim in reforming UK data laws is to ease the burden on businesses, particularly smaller ones. GDPR is perceived by some to be overly burdensome, onerous, and at times a ‘box-ticking’ exercise.

What’s proposed and what might these changes mean in practice?

Firstly, in our opinion here at the DPN there’s nothing massively radical about the DPDI Bill. The core data protection principles, individual privacy rights and controller/processor obligations will remain the same. Yes, there’ll still be a need for detailed contracts between clients and their suppliers. Data protection and our suppliers

For many large organisations which operate across EU / global markets, as well as the UK, it could be mostly business as usual with EU GDPR remaining the benchmark.

There’s unlikely to be a huge impact on most small to medium sized businesses whose processing is not particularly large scale or sensitive. Existing law already provides extra flexibility for these SMEs, for example they may not need to appoint a Data Protection Officer, or to create and maintain a Record of Processing Activities.

For others depending on their size, nature of their business and operational structural, it may necessitate changes and potential efficiencies.

Remember, nothing is set in stone yet!

8 key data reform points

The Bill is over 200 pages long, so we’ve selected some broad top-level points, summarising what’s proposed and our take on these potential changes.

1. Record keeping & Records of Processing Activities (RoPA)

Currently organisations (both controllers and processors) are required to keep a RoPA, however there’s a limited exemption for organisations with less than 250 employees where the processing is not high risk and does not involve special category or criminal convictions data. The UK’s Information Commissioner’s office has a published template covering the requirements for what information should be included in a RoPA.

What’s proposed?

The requirement to have a RoPA as stipulated under GDPR will be removed. Organisations which carry out ‘high risk’ processing would be required to keep ‘appropriate records’. Other organisations would still be under an accountability obligation to make sure appropriate measures are in place to comply with data protection law and protect personal data.

Our take on scrapping the RoPA requirement

A RoPA is a valuable business asset, to identify and keep track of what data you have and where, what it’s used for, your lawful basis, any international data transfers and so on. It’s fundamental to many other data protection processes. It can prove invaluable in getting to grips with the full scope of your processing, identifying data risks, assisting with transparency requirements (e.g. privacy notices), fulfilling individual privacy rights requests and handling data breaches.

However, we know from DPN audience surveys creating and maintaining a RoPA can be a real headache for organisations. Many say their current records don’t fully meet GDPR requirements or ICO expectations. For some businesses, creating the RoPA can lead to duplication of effort and many businesses have taken a risk-based approach, focusing on their main risk areas.

We wouldn’t recommend ditching any hard work you may have already done to create your RoPA, because you can still gain benefit from it. If your RoPA isn’t complete, this new Bill could take the pressure off somewhat. For smaller businesses (below the RoPA threshold) we would recommend keeping some form of ‘basic’ record of your activities, in line with the new Bill.

2. Data Protection Risk Assessments

Currently organisations are required to conduct a Data Protection Impact Assessment (DPIA) for ‘high-risk’ processing activities. The ICO and many EU regulators provide a list of examples of when a DPIA must be conducted (and when it might be a good idea). UK/EU GDPR sets out what criteria should be included in these assessments.

What’s proposed?

The specific requirements relating to a DPIA will be removed. Organisations will need to conduct risk assessments for ‘high risk’ processing, but will have more flexibility and won’t be tied to specific DPIA requirements or templates.

Our take on scrapping DPIAs 

Increased flexibility for organisations regarding when and how they conduct risk assessments should be welcomed. However, if you currently have an effective risk screening process and DPIA template which works for your organisation, and many do, you may decide there’s no reason to ‘fix something that’s not broken’. Also, don’t forget you may still be under an obligation to conduct DPIAs if subject to EU GDPR.

DPIAs are a well-established method to identify and mitigate privacy risks prior to the launch of any project involving personal data. We recognise some organisations may choose to benefit from this new flexibility and look for efficiencies by adopting a streamlined and perhaps bespoke process for risk assessments.

3. Senior Responsible Individual for data protection

Currently some (but certainly not all) organisations fall within the mandatory requirement to appoint a Data Protection Officer. Others have voluntarily chosen to appoint one. It’s worth noting a DPO’s position within the business, responsibilities and tasks are mandated under UK GDPR.

What’s proposed?

It’s proposed the requirement to appoint a DPO will be scrapped. Public authorities and other organisations carrying out ‘high risk’ processing will be required to appoint a Senior Responsible Individual (SRI) – someone accountable in the business for data protection compliance. This individual must be a member of senior management.

The proposed changes are also likely to impact on what ‘accountability’ looks like, and what businesses would be expected to have in place to demonstrate their compliance with data protection law. Currently the ICO has a detailed accountability framework. We understand a new ‘risked-based accountability framework’ will be introduced, requiring organisations to have in place a Privacy Management Programme, with flexibility to tailor this to suit the scale and nature of the organisation’s specific processing activities. It’s thought likely any existing accountability measures in place to comply with GDPR would not have to be changed.

Our take DPO requirement changes

There’s been plenty of confusion about which organisations are required to appoint a DPO. Some businesses have felt they needed to appoint one when in fact they didn’t need to. Others have appointed DPOs virtually in name only, without fully appreciating the legal obligations relating to the role. DPO myth buster

This change will give businesses more flexibility, but equally it could muddy the waters and potentially lead to conflicts of interest. More clarification is needed on exactly how this role should operate, in comparison to the current DPO role.

For us, it currently raises more questions than answers. For example, what happens to existing DPOs who report into senior management, but act independently? Will a Senior Responsible Individual be able to delegate tasks to an external DPO? And not forgetting those organisations who need to keep a DPO to comply with EU GDPR, will they need an SRI as well?

4. Vexatious Data Subject Access Requests

Currently requests under the Right of Access (aka DSARs/SARs) can be refused, in part or in full, if there are judged to be ‘manifestly unfounded’ or ‘manifestly excessive’.

What’s proposed?

A concept of ‘vexatious or excessive’ will replace ‘manifestly unfounded or excessive’. Controllers will be permitted to take into account whether a request is intended to cause distress, is made in bad faith or is an abuse of power.

Our take on vexatious DSARs

Anecdotally we know of many cases where DSARs are being ‘weaponised’; not submitted to benefit the individual, but used primarily as a means to cause problems for an organisation. We welcome changes giving businesses increased grounds to decline inappropriate requests, where it’s clear the individual is not genuinely making the request because they want copy of their personal data. DPN DSAR Guide

5. Recognised Legitimate Interests

Currently organisations can rely on the lawful basis of legitimate interests when the processing is considered to be necessary and balanced against the interests, rights and freedoms of individuals. There’s a requirement to conduct a balancing test; a Legitimate Interests Assessment (LIA).

What’s proposed?

The concept of ‘recognised’ legitimate interests is planned, where there will be an exemption from the requirement to conduct a balancing test (LIA) in certain situations. These ‘recognised’ legitimate interests cover purposes such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.

The Bill also includes other examples where legitimate interests could be appropriate, but would require a balancing test. Examples include; direct marketing, intra-group transmission for admin purposes and security of network and information systems (although we are a little surprised the latter didn’t make it onto the list of recognised legitimate interests).

Our take on ‘recognised’ legitimate interests 

We welcome this change, as it makes sense to reduce the paperwork required for activities which are straight-forward or very clearly in the interests of both the organisation and individuals.

The fact direct marketing may carried out as a legitimate interest is not new. This is already in GDPR Recital 47; but this is reinforced by its presence in the Bill. This is a welcome clarification, but we would caution under the UK’s Privacy and Electronic Communications Regulations (PECR) there will still be certain circumstances where consent is required. GDPR and PECR

6. Extension of the ‘soft-opt-in’ exemption under PECR for charities & other not-for-profits

Currently under PECR it’s a requirement to have consent to send electronic marketing, for example email or text marketing messages, unless you can rely on and meet the requirements of the so-called ‘soft opt-in’ exemption. This exemption is only available where the data is used for commercial purposes. It’s use by charities is very limited to the context of a sale, for example selling goods in a charity shop, and can’t, for example, be used in the context of donations.

What’s proposed?

The soft opt-in exemption will be extended to non-commercial organisations, covering where the direct marketing is:

  • solely for the purpose of furthering charitable, political or other non-commercial objectives (i.e. including donations!)
  • where the contact details have been obtained during the course of a recipient expressing an interest or providing support, and
  • where the recipient is given a clear and simple means of objecting to direct marketing at the point their details were collected, and in every subsequent communication.

Our take on extending use of soft opt-in 

We welcome the move to allow charities to take advantage of an exemption which has been available for commercial purposes for years. Clearly, it will be for each charity to decide whether they stick with consent or change to soft opt-in. It can only be used going forward – it’s not an opportunity to re-contact those who didn’t give consent or opted-out in the past!

Charities will have to carefully think through the pros and cons of moving to soft opt-in and would be wise to check if their CRM systems could store multiple permission statuses for legacy data alongside new data gathered under soft opt-in. What could the marketing soft opt-in mean for charities? 

7. Cookies and similar technologies

Currently informed consent is required under PECR for all cookies and similar technologies deployed onto a user’s device. There is a limited exemption for ‘strictly necessary’ cookies.

What’s proposed?

There are provisions to expand the categories of cookies which don’t require consent, for example website analytics. There’s also a desire to reduce or eliminant the need for cookie pop-ups but it’s not yet clear how exactly this will be achieved.

Our take on cookies

Many businesses would welcome easing the existing requirements, although we anticipate few websites will, in reality, be able to compliantly get rid of cookie banners, unless radical changes are made! We look forward to clarification on exactly how the proposed changes might work in practice to benefit businesses and the public.

8. Increased fines under PECR

Currently, fines for violations under UK PECR are capped at £500,000.

What’s proposed?

Bringing the level of maximum fines in line with UK GDPR, meaning the ICO could issue fines of up to circa £17 million, or 4% of a business’s global turnover.

Our take on increased PECR fines

The ICO tends to take a proportionate approach to enforcement, and we envisage substantial fines would be reserved for spammers and rogue telemarketing businesses who flagrantly disregard the rules. If this goes some way to deterring bad operators and protecting the public, this could be a good thing.

Other DPDI Bill points worth noting

Scientific research

The Bill includes specific changes in relation to using personal data for scientific research, and what qualifies as scientific research. (This area could be an article in itself!)

International data transfers

The Bill doesn’t propose any significant changes to the international data transfer regime. It makes it clear mechanisms entered into before the Bill takes effect will continue to be valid. At last, some welcome news for all those grappling with the UK ITDA or the EU’s SCC with UK addendum! International Data Transfers Guide

UK Regulator

The Information Commissioner’s Office’s (ICO) name could be set to change to the Information Commission. It will act as an independent body, with plans for new reporting obligations to the Government. It’s intended there will be more government oversight of the Commission.
UK adequacy

In summary, the above just touches on key proposals, as said, it’s a very lengthy document! In our view the UK’s Data Protection and Digital Information Bill marks a significant but not giant step away from GDPR. There are good reasons why the Government is keen not to diverge too far. It does not want to risk the current European Commission ‘adequacy decision’ for the UK being overturned.

This adequacy decision allows for the free flow of personal data between the EU and UK, and there could be a signifiant negative impact for many businesses if UK adequacy is revoked.  We don’t know yet if the European Commission will view the Bill as a step too far.

What next?

It remains to be seen if the Bill can progress quickly enough to pass into law before the next election. If it fails to pass before a general election, it is not known if a new Government would be so keen to press on with the proposed reforms.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

UK telemarketing rules

November 2023

How to avoid falling foul of the rules for marketing calls

Hardly a month goes by without the UK’s Information Commissioner’s Office (ICO) fining another company for breaking the telemarketing rules under the Privacy and Electronic Communications Regulations (PECR).

I’m sure all of us have been on the receiving end of a dodgy call. The favoured have you recently been involved in an accident? springs to mind.

Tackling nuisance calls is clearly a key priority for the Regulator, so how do bone fide businesses avoid being tarred with the same brush as the rogue operators?

6-point telemarketing guide

1. Service vs marketing calls

The definition of direct marketing covers any advertising or promotional material directed at particular individuals. Routine customer service calls don’t count as direct marketing.

But if you’re treating a call as a service call (and not applying the marketing rules under PECR) you need to be careful the script / call guide and what your call handlers say in practice doesn’t stray into the realms of trying to get customers to buy extra products, services or to upgrade or renew contracts.

A Trade Union was fined in 2021 for not screening numbers against the TPS. The Union didn’t believe its calls were direct marketing, but the ICO judged they were. Just because you believe you’re acting in good faith doesn’t mean you are. Marketing messages and service messages

2. Consent or Legitimate Interests?

Telephone numbers which can directly or indirectly identify an individual are personal data and fall under the scope of UK GDPR. For example, when using someone’s personal or work mobile, direct line business number or home landline you’ll need to comply with both UK GDPR and PECR.

You’ll need to decide whether to rely on consent or legitimate interests as your lawful basis under UK GDPR to make telemarketing calls to people. In brief:

  • Consent: make sure this meets the requirement to be a specific, informed, unambiguous indication of someone’s wishes made with a positive action (e.g. an opt-in). Keep records of consent (including, if relevant the script used) and make sure withdrawing consent is as easy as it is to give it. Consent – getting it right
  • Legitimate Interests: conduct a Legitimate Interests Assessment (LIA), keep a record of this assessment and be sure to provide people with a way to opt-out of future calls. Legitimate interests – is it legit? 

3. Live marketing calls to individuals

Below are the key rules to follow:

  • Don’t make marketing calls to anyone who’s told you they don’t want to hear from you. Keep a suppression file of all objections to telemarketing, and screen your campaigns against this internal ‘do not call list’.
  • Don’t make marketing calls to anyone registered with the Telephone Preference Service, unless you’ve collected consent to call them.
  • Say who’s calling – i.e. clearly state the name of your organisation.
  • Always display your number (or an alternative contact number).
  • Provide an address or freephone contact number if asked.
  • Make it easy to opt-out of further calls.

4. Remember sector specific rules

Stricter rules apply if you’re making calls about claims management or pension schemes. For claims management services you must have consent. For calls about pension schemes, you must have consent unless:

  • You are a trustee/manager of a pension scheme; or
  • A firm authorised by the Financial Conduct Authority; or
  • Your relationship with the individual meets strict criteria.

5. Automated calls

When using automated dialling systems which play a recorded message the rules are very strict. You must have:

  • Specific consent from individuals indicating they’re okay to receive automated calls; and
  • Calls must include your organisation’s name and contact address or freephone number; and
  • You must display your number (or alternative contact number).

In practice, these consent rules make genuine compliant automated calls very difficult.

6.  Marketing/sales calls to business numbers

The rules under the UK’s PECR are the same for calling businesses as they are for individuals.

  • You can call any business that has specifically consented to your calls. Or, and most commonly…
  • You can make live calls to any business number which is not registered with the TPS or the Corporate Telephone Preference Service (CTPS). But only if they haven’t objected to your calls and you’re not calling about claims management services.

The reason screening against both TPS and CTPS is necessary (if you don’t have consent), is sole traders and some partnerships may have registered with the TPS.

Applicable laws for telemarketing

PECR gives us the rules for telemarketing calls in the UK and the ICO has published telemarketing guidance. As well as complying with PECR you should comply with UK GDPR for your handling of personal data.

The rules differ in other countries, so check local laws if your telemarketing extends to calling people in other territories. Many countries have a ‘do not call’ register similar to the Telephone Preference Service.

There are also specific rules under PECR for email marketing messages, see UK email marketing rules.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

3 steps to decide your data retention periods

November 2023

How to start tackling data retention

Both UK and EU data protection law requires organisations to not keep personal data any longer than necessary for the purpose(s)s the data is processed for. Sounds simple, doesn’t it?

In practice, it’s one the most challenging areas of the law to comply with. How do businesses decide on justifiable retention periods? How do they implement retention periods in practice? And, crucially, what are the risks if they get it wrong?

In our experience it’s not uncommon for many businesses to be holding onto unnecessary personal data. So when deciding how long personal data should be kept, it’s helpful to work through the following key steps.

1. Does the law tell us how long to retain certain records?

Sometimes there will be a legal or statutory requirement to retain personal data for certain purposes. This is the easy bit, as you can use this to set retention periods for certain categories of data.

For example, your business may be subject to laws relating to employment and finance which give specific periods when you process people’s data for these purposes.

There may also be a duty to preserve documents for disclosure in legal proceedings that may have started or may be started in future.

2. Are there industry standards, guidelines or known good practice?

In regulated sectors such as finance, health and manufacturing there may be agreed industry standards or agreed professional practices which recommend and/or can justify retention periods. Working to best practice and precedent makes things much easier.

3. What about… everything else?

Okay, you’ve established for certain dataset and what you use that data for, there’s no statutory requirements. Maybe you’ve also no industry standards that apply. What do you do now?

You’ll need to assess what’s necessary, proportionate and reasonable to retain. By its very nature, this is subjective; cases will often turn on their own merits. Ideally, you’ll want to be able to justify retention periods for different datasets.

Here are some of the questions you can ask to try and reach a defensible decision.

  • What are the business drivers for retention?
  • Does the product lifecycle have an effect on retention?
  • Does your approach to pricing have an effect on retention?
  • Can it be evidenced certain data is legitimately needed for a certain amount of time?
  • Do you need to keep personal data to handle queries or complaints?
  • How damaging would it be to the business to delete certain data?

To give an example, I know of a retailer which took the step of carrying out research into how often their customers purchased their products. Due to the sturdy nature of their products, the research clearly showed for many customers there was a gap of 3-4 years between purchases. This analysis was used as justification for retaining customer details for postal marketing longer than perhaps another company might.

What are the risks?

Businesses expose themselves to a number of risks if they keep personal data for longer than necessary, or indeed don’t keep it long enough.

Information security risks

The impact of a data breach could be significantly worse; with a larger volume of records and more people affected. Enforcement action could be more severe if it becomes clear personal data has been kept with no justifiable reason, i.e. a Regulator might deem that older data was unlawfully held. It could also increase the likelihood of complaints from individuals asking why their data was kept for so long.

I once received an email from a major UK brand informing me that my data had been involved in a data breach. My first thought was how on earth does this company still have information about me? I couldn’t remember when I’d last bought anything from them.

Legal risks

Where there’s a statutory requirement for personal data to be retained for a specific period, there’s clearly a risk if records aren’t kept for the statutory period.

Contractual risks

Certain personal data may need to be kept to meet contractual terms; for example to provide a service or warranties. Not keeping certain data long enough may lead to an inability to respond to complaints, litigation or regulatory enforcement.

Customer expectations

Customers expect organisations to be able to respond to their needs. For example, answering queries or responding to complaints. Data about them therefore needs to be kept long enough to meet customers’ reasonable expectations. However, once a reasonable period has elapsed a customer may not expect you to be continuing to hold their details.

All these risks could also result in reputational damage for an organisation which fails to meet its legal obligations, contractual obligations, or their customers’ expectations.

We’d recommend all businesses have a straightforward retention policy and keep a retention schedule. Admittedly these are only the first steps. Actually implementing and deleting data when it comes to the end of its retention period can be the biggest challenge. We’d suggest you review your data at least annually and cleanse.

Using the old adage ‘you can only eat an elephant one bite at a time’, we’d advise focusing on the biggest risk areas. What data represents the biggest risk if you keep it too long?

Our detailed Data Retention Guide is full of further tips, case studies and sample retention schedules.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.