What should you do with legacy data?
Figuring out what to do about legacy data is one of the big challenges facing businesses preparing for the GDPR.
Legacy data is data that a business processes now, under the existing data protection rules. These rules will change under the GDPR which sets new standards for processing data on the basis of consent. It also sets new information requirements when processing on the ground of legitimate interests.
This raises the question of whether a business can continue processing legacy data obtained on the grounds of legitimate interests or consent, once the GDPR starts to apply.
A Bit of Background Information
From 25 May 2018, businesses must comply with the GDPR as well as the E-Privacy Regulation when processing personal data for e-marketing purposes.
Under existing data protection law, businesses must have a lawful ground for processing personal data. While there are a number of lawful grounds, businesses frequently process personal data for e-marketing purposes on the grounds of “legitimate interests” or “consent”.
The E-Privacy regulations add supplemental requirements which apply to e-marketing. This includes requiring businesses to obtain the data subject’s consent to the processing of his or her personal data for e-marketing purposes, in certain cases.
The GDPR does not change the rules set out in the E-Privacy Regulations, however, it will impact on processing personal data on the grounds of legitimate interests or consent.
Regarding legitimate interests, the biggest changes are that businesses will need to:
- update their privacy notices to include additional information and communicate them to individuals; and
- document their decisions on legitimate interests so that they can demonstrate compliance under the new GDPR accountability principle.
The GDPR has more significant consequences for consent, which must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes. The data subject must give his or her consent by a statement or clear affirmative action. As in the case of legitimate interests, businesses will need to be able to demonstrate compliance with the GDPR consent requirements.
When is consent required for E-marketing?
Under the E-Privacy Regulation, businesses need consent if they wish to process personal data for e-marketing purposes, where the data subject is not a customer. In contrast, a business can market to its own customers on an opt-out basis if it has a) collected its customers’ contact details in the context of a sale and b) given them the right to object to the use of those details for e-marketing purposes at the time of collection. It is worth noting, however, that there is change afoot with the E-Privacy Regulation and this is likely to move to an opt-in requirement over the next few years.
So how can businesses continue e-marketing under the GDPR?
Businesses must stop processing data that does not comply with the GDPR after 25 May 2018. This means that before then they must audit their marketing data to find out what personal data they have, where it is, and what they use it for. They must also review their current work processes and records in detail to ensure that their existing grounds for processing data meet GDPR standards and that they have evidence to back this up.
When processing on the basis of consent, businesses will need to ensure that they can demonstrate that they have obtained actual consent. Presumed consent based on, for example, pre-ticked opt-in boxes will not be enough.
If a business’ existing grounds for processing data do not meet GDPR standards, it will need to take measures to meet those standards if it wishes to continue processing data collected on the basis of those grounds.
Alternatively, businesses may take an advantage of a once-off opportunity to change the ground on which they are processing personal data. While the GDPR does not allow businesses to swap between one lawful basis and another, businesses can make such a swap before the GDPR applies, at least according to the Article 29 Data Protection Working Party.
Is there a silver lining?
Achieving GDPR compliance is likely to involve a lot of work for businesses but there is a silver lining. Once businesses have completed their personal data audit they will be well placed to take all the measures necessary to comply with the GDPR. They will also be able to evaluate their personal data and assess its real value to their businesses.
In particular, the audit should help businesses identify personal data that is out-of-date or otherwise inaccurate and to take appropriate measures. In some cases, this will mean updating the personal data, in others the business may decide that the data is not sufficiently valuable to continue using for e-marketing purposes.
Under the GDPR there are risks and costs to processing personal data and carrying out a data audit will help businesses decide whether to assume these risks and/or incur these costs. For example, under the GDPR, businesses must take measures to ensure personal data is accurate and, where necessary, kept up to date. Moreover, the GDPR provides a number of rights for individuals which also impose obligations and related costs on businesses. Finally, the more data a business holds, the more risk of a security breach. The GDPR requires businesses to report certain types of personal data breaches to the relevant authorities. In addition, any security breach is likely to result in a degree of reputational damage that most businesses could do without.
Spring Clean and Save Costs?
In short, businesses should consider using the GDPR as an opportunity to spring-clean their e-marketing databases with a view to improving the effectiveness of their e-marketing campaigns and reducing their GDPR compliance costs. Businesses that take full advantage of this opportunity could well find that the GDPR proves to be a blessing in disguise.
We have seen how GDPR is prompting a review of how marketing databases are collected and curated. Some businesses have even opted to pull back significantly on online direct marketing – not directly as a result of GDPR but because GDPR prompted a fresh look at the databases. Many businesses have found that they hold inefficient and underperforming marketing databases and some have concluded that they just aren’t delivering ROI to the business.
Businesses who take a long hard look at their legacy data to evaluate the cost and risk against the benefit delivered to the business will not only be more compliant – they will be better off financially as well.