How do database and marketing platforms change under the GDPR?
The new General Data Protection Regulation (GDPR) came into force on 25th May 2018. There are several ways in which the new Regulation directly impacts on the capabilities required by your database and marketing platforms. In this article we will explore some of these important impacts.
1. Consent for direct marketing
Prior to the GDPR, the database needed to record the most recent status of consent for 1st & 3rd party personal data (where collected) and be able to manage opt-outs or unsubscribes for specific channels.
Now, under the GDPR, organisations also need to able to demonstrate ‘unambiguous’ consent for 1st & 3rd party data, which is in compliance with the GDPR and the latest ICO & EU guidance. Where an organisation uses more than one type of consent wording (e.g. for the website, face to face, in-bound calls, etc), it may be wise to keep an electronic file comprising indicative copies of all past and present consent statements. These will help you to meet the GDPR requirement for evidence of consent, in the form of;
a) status of consent (e.g. opt-in)
b) channel (e.g. for marketing emails)
c) the purposes of communications
This record of consent may be very useful in the event of a complaint or ICO investigation.
The next step is to add a field to records on the database identifying which consent statement was used. For example, for Mr Sample, the most recent consent was collected via the website using consent statement number 3, giving the status of ‘opt-in to 1st party email’, with a time/date stamp.
The database must still be able to record and process opt-outs and unsubscribes for the relevant party and channel.
Where the organisation is using legitimate interests as the basis for processing, rather than consent, you should nonetheless notify people they can opt-out and be sure to suppress those who opt out. Otherwise it could be argued that the processing infringes the rights of the data subjects. (We have published Guidance on the use of Legitimate Interests under the GDPR).
2. Parental consent for minors
If your organisation collects data from minors, you should give consideration to arrangements for collecting and storing parental consent. You may wish to do this by asking the minor for their parent’s email address, then emailing the parent to ask for consent.
Under the GDPR, the age of consent for processing data can vary by Member State, which could make it tricky for organisations collecting data from minors across various countries. Parental consent is always required for under 13’s, but Member States may set their own rules for those aged 13-15. If they do not to have those rules in local law then parental consent will be required for under 16’s – i.e. at 16 they can give consent for themselves.
3. Consent to process special categories of personal data
The term ‘sensitive personal data’ has been replaced by the term ‘special categories of personal data’ under the GDPR. There are some changes in scope, but these are relatively small. In some cases, if you wish to process special category data it may be justified under a contract, or due to a legal requirement. But where those grounds are not available to you then consent will normally be required, just as it is now for sensitive data. This consent will need to be explicit. Many databases struggle to record this type of consent separately from consent for direct marketing, so if your organisation processes sensitive personal data this needs to be addressed.
4. Automated Processing including Profiling
This is a new area for the GDPR, as profiling has never been precisely defined under past legislation. This section carries the caveat that the ICO has not, at the time of writing, issued guidance on profiling. So we are waiting for their steer on some aspects of automated processing and profiling.
Two types of profiling have been identified:
• Profiling for direct marketing purposes
- The right to object to profiling exists and must be made clear (subject to clarification in forthcoming guidance)
- If an individual opts-out out of direct marketing then this must be recorded on the database. In this instance you may not profile them for direct marketing purposes either.
• Profiling with ‘legal or similarly significant effects’
- We don’t yet have guidance on what ‘similarly significant effects’ might mean but we do have examples of legal profiling, such as that which may be used to screen a credit card application – which may result in an automatic Yes or No decision.
- Unless it is required to enter into a contract, or required by law, explicit consent is required for these types of profiling. That consent must be recorded on the database.
- The existence of this type of profiling must be notified to data subjects and you must make it clear the effects of refusing.
5. Right of access to data and right to rectification
A data subject continues to have the right to access their data when it is stored by a data controller, or by their processor. This is known as a Subject Access Request (SAR). In terms of the database requirements, organisations which have complex data structures may struggle to find all the instances of data relating to a specific individual which would be required to complete a SAR in a compliant manner. It could be resource-intensive to check on multiple databases, websites and email systems.
Should the data subject find that the data is inaccurate they have the right to have those inaccuracies rectified across all databases held by the organisation.
Organisations should keep a record of SARs made by individuals. If requests are “manifestly unfounded or excessive, in particular because of their repetitive character,” the data controller has grounds to refuse them.
6. Right to erasure
There is a new right called ‘right to erasure’ which enables data subjects to request personal data concerning them to be erased ‘without undue delay’. The data controller must assess these requests in the light of any contractual or legal obligations they may have to retain the data, e.g. there is a legal requirements to keep financial records. Controllers must inform data processors of any erasure request and take ‘reasonable steps’ to tell other data controllers where the data has been shared. This means that records of data sharing will need to be kept.
The minimum amount of personal data may be retained solely for the purposes of suppression:
‘The further retention of the data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation.’
Clearly it is a challenge to process a request for erasure on the database. Recital 67 gives guidance which provides some flexibility for handling erasure requests:
‘Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.’
7. Right to data portability
Now GDPR has come into force, European data subjects have the right to receive the personal data which they have provided to a controller in a ‘structured, commonly used and machine-readable format’. They also have the right for their data to be transmitted to another controller ‘without hindrance’ from the controller to which the personal data have been provided, but this right is tempered by the words ‘where technically feasible’, so it may be difficult to enforce. The right only applies to where the personal data is provided under a contract or consent.
Fortunately some flexibility has been afforded. The right to transmit or receive personal data, ‘should not create an obligation for controllers to adopt or maintain processing systems which are technically compatible,’ so system changes will not be mandatory.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.