GDPR obligations go beyond direct marketing, so when it comes to managing commercial risk what might you have missed?
There’s been lots of talk in the cultural sector about the GDPR but much of the conversation has been focused around the use of customer data for marketing, particularly whether organisations should be relying on legitimate interest or obtaining consent. For two different perspectives see Michael Nabarro’s article in AP on legitimate interests and Culture Republic on consent.
Altogether less attention has been given to the relationship between organisations and their processors, despite the Information Commissioner’s (ICO) advice that organisations “must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met”.
The role of the processor
A processor is an organisation or individual who processes (uses or stores) personal data on your behalf. So, this isn’t just about consultants, agencies or mailing houses who process customer data, but includes anyone processing data about ‘identifiable individuals’, including your staff.
In choosing a processor that can provide sufficient guarantees of compliance, questions to ask include
- Where is data stored? Are any copies of the data made? Who is it shared with? How long is it kept?
- What security measures are in place (including electronic and physical)? For example, are your processor’s laptops encrypted? The ICO has formed the view that should personal data be lost or stolen from a mobile device where encryption software has not been used, regulatory action may be pursued. And both you and the processor may be liable.
- What levels of insurance cover does your processor have in place?
- How will your processor submit to audits and inspections (especially if they are geographically distant)?
- Does your processor demonstrate respect for the principle of data minimisation, for example, restricting the data that is collected or instituting processes to ensure unnecessary data is removed and not retained?
- Does your processor have a data incident response policy?
Under the GDPR it is also a legal requirement to have a written contract in place with processors which must include a number of compulsory contract terms (find out more here).
Processing outside the EEA
Transfers of personal data outside the European Economic Area (EEA) are regulated and restricted in certain circumstances, so particular attention needs to be paid to any processor operating, storing or transferring data outside the EEA. If you previously relied on a ‘Safe Harbor’ certification in dealing with US-based organisations, then you’ve given me the opportunity to share my second-favourite GDPR joke:
Q. Why is Safe Harbor like a guinea pig?
A. Guinea pigs are neither from Guinea nor are they pigs.
The Safe Harbor arrangement has been ruled inadequate but in July 2016 the EC confirmed the adequacy of the new EU–US Privacy Shield for the protection of personal data of EU data subjects. So, if you’re working with a processor storing or transferring personal data to the US you should check their registration on Privacy Shield’s list.
You should also ask EEA-based processors to confirm where they store data, including any cloud-based services used for back-up or online surveying.
If you or your processor are transferring data outside the EEA, this must be made transparent in your privacy notice, including details of how personal data will be safeguarded.
If you choose to rely on legitimate interests for processing, then the ICO is clear that you must also include these details in your privacy notice.
(Rights to) Erasure & A Little Respect
1980s pop references aside, the argument has been advanced that if a customer asks to be deleted, you should just do it. But what does the customer actually want when they ask you to delete them? If what the customer is really objecting to is receiving direct marketing, then deleting the data means you run the risk that the next time they buy a ticket they will receive marketing, because you have no means to recognise them as the person who objected. So, in this instance, suppression is better than deletion and deletion should in fact be a last resort. There may also be other good reasons to retain data such as retaining Gift Aid declarations to prove compliance with its rules.
While an individual’s right to object to receiving direct marketing is absolute – once someone objects, their data must not be used for marketing with no exceptions – other rights are not automatic. Individuals can request the erasure or correction of their data or object to processing, but there is no automatic right to have these requests granted (unless, for example, there is a problem with the legality of the processing).
But, under the GDPR, it is now the organisation that must demonstrate its overriding legitimate grounds to continue processing the data.
Privacy notice inclusions
Some organisations have raised questions about the extent to which the GDPR restricts their ability to analyse and segment their database. This usually constitutes profiling – the automated processing of personal data to evaluate, analyse or predict individual behaviours – and this can be undertaken in pursuit of an organisation’s legitimate interests.
The same restrictions do not apply to profiling as apply under the GDPR to any decisions based solely on automated processing which produce legal or similarly significant effects. But the fact that you undertake profiling should be included in your privacy notice.
Another question we are often asked is whether an organisation can share data with a processor when it didn’t make this clear when the data was collected. The GDPR makes clear under Article 5.1(b) that “further processing for… historical research purposes or statistical purposes shall… not be considered to be incompatible with the initial purposes”. It would nevertheless be good practice to explain how you use data for research and statistical purposes in your privacy notice.
If you undertake audience surveys you or your processor are collecting information about what are known as ‘Special categories of personal data’, revealing racial or ethnic origin, then you must ensure that the data is anonymised or that explicit consent is obtained.
And finally, my favourite GDPR joke:
Q. How many arts professionals does it take to change a light bulb?
A. The receipt of your response to this joke will be used in accordance with this Privacy Notice and will be stored in a log file forever. A cookie will be placed in your mouth upon its opening as you cannot reject it. All information relating to your response will be shared with anyone who comes along. You are given the choice to unsubscribe to this joke, but we’ll remember that too.
This article is based on our interpretation of the GDPR and the ICO’s guidance and does not constitute legal advice.