21 Jan Six Months After GDPR
It has been over six months since GDPR came into force and, while we’ve come a long way since, there are still ongoing discussions about best practices.
The way we manage data has changed a lot over the years. Before, we needed to adjust to certain rules that made us take data protection into consideration, but without that being our main concern. Now with GDPR, data protection is at the top of our priorities when we perform any activity that involves data management.
Alejandro Negro from Cuatrecasas defines data protection as something we should take into account, from design and by default: “From now on, whenever we want to launch a new product or service or any activity that involves data management, we have to ensure that it complies with GDPR in our list of basics. Also, by default, we should always try to use the least amount of data possible and within the least time possible, using it exclusively for the established purposes.”
While we’re still learning about GDPR, after 6 months, we can already make some conclusions. There were three key insights that we learned at the AERI’s (Spanish Association for Investor Relations) roundtable in November of 2018 with Alejandro Negro from Cuatrecasas, Ana del Villar from Iberdrola and Gabriela Halasz-Clarke from Nasdaq.
Consent vs legitimate interest
Around May 25th 2018, it seemed that the world was coming to an end. Every company with businesses in Europe had their minds on GDPR, making sure they met the deadline to be compliant. Everyone knew this was coming, but there was a lot of uncertainty about what it entailed. Now we realize that the rules give us the opportunity to establish good practices and procedures to manage data, even if they’re ambiguous in some cases.
Initially, most thought of using consent as the legal basis for the data they were managing. This seemed to be the most “secure” way, as asking clients and prospects directly whether or not they wanted to receive communications from companies would not leave room for errors. But what would happen if they didn’t answer the question?
According to Alejandro Negro from Cuatrecasas, only around 5% of people tick the consent box in the communications they receive. This means that once companies ask for consent, that they would need to remove around 95% of their database, as once consent is applied, you can’t switch back to another legal basis.
Based on the results from companies that applied this legal basis, we’ve learned that we should avoid explicit consent where possible, as the rules sometimes allow us to disregard explicit consent and turn to the other five legal bases for data processing which are equally valid and strong:
- Data processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract
- Data processing is necessary for compliance with a legal obligation to which the controller is subject
- Data processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Data processing is necessary for purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
On the other hand, we have legitimate interest, which according to Gabriela Halasz-Clarke from Nasdaq, was the intermediate option between those with a very conservative approach (explicit consent) and those who continued doing business as usual until their legal team advised them that something needed to be changed.
Legitimate interest is a more flexible legal basis which allows us to continue managing data as long as there is a real expectation from clients and/or prospects — based on their relationship with a company — to process their data and receive certain types of information. For example, if a provider offers a service to a client, that client could expect that — given the relationship — the company will send them communications related to the services that they are paying for.
The companies that used this as legal basis, didn’t send emails asking for explicit consent. They informed contacts about the changes in their privacy policies and gave the data owner the option to unsubscribe in case they no longer wanted to receive information. This gives companies the opportunity to continue managing data unless the data owner actively requests them not to.
With all this comes the question: for how long should data be retained? This is something you should establish in advance and communicate as well. When following the legitimate interest legal basis, you should follow the same criteria as with the type of information you send: for how long might this person expect to receive information from our side? You should establish a reasonable time depending on the type of data you are managing and its purpose.
Ana del Villar from Iberdrola, gave an example of managing investors’ data which can be tricky, especially because they can constantly enter and leave the company. So, in this case going with explicit consent might take a lot of effort. If you apply legitimate interest, reviewing your database every year sounds reasonable, as well as keeping the data for one year after they stopped being shareholders. After that, the “expectation” criteria of this legal basis loses power.
Security is one of the major concerns when it comes to GDPR. After all, the aim of the law is to protect data.
Companies have been changing how they have been managing data in an environment where security breaches have significant consequences. Storing data in Excel documents or similar files no longer seems secure and the use of secure technologies to process, manage and centralize data to avoid leaks is becoming more important.
Previously, if you had a security breach you would try to solve it as soon as possible and hope that you could fix everything before those affected would notice. Now, depending on the severity of the breach, you are obliged to notify the data owner first. If there is a risk, you have to notify the Data Protection Agency, and if the risk is very high, you have to also notify those affected within 72 hours after the security breach took place.
For some companies, including the technology industry, GDPR is not only something they need to comply with, they also need to provide a service or product that helps their clients comply as well. With the increased awareness of data privacy, this is no longer an option, but a must.
Although companies are still tying loose ends and are unsure about being fully compliant, some find peace in the fact that they’re not alone.
Companies survived the 25th of May and learned that GDPR is a work in progress, and not as strict as was initially thought. As long as you’re working on processes to become compliant, you’re going in the right direction. Learning from other companies and keeping yourself up-to-date is the best way to remain on track.