With GDPR fast approaching most organisations have finally decided to get their (data) house in order and make some drastic changes in terms of how, where and why their personal data storage and usage is structured. It’s clear that the impending changes to GDPR in May 2018 will be more strictly enforced than ever before, and defining what should and shouldn’t be done is key to implementing a proactive plan as soon as possible. These new regulations will introduce fresh processes for dealing with sensitive personal data collected from your clients and partners, meaning if unprepared for the change, your company could see itself facing issues like SARs (Subject Access Requests) – based on what personal data you have, how you store that data, and what you use it for.
One of the main issues expected to arise for unprepared establishments, are those surrounding explicit consent. From early next year, GDPR will ensure companies will be required by law to provide a clear explanation of the processing to which subjects are providing explicit consent. It will also need to be of a clearly voluntary and “opt-in” nature, with the possibility to unsubscribe or purge personal data and explicit consent easily, should the subject choose to do so at any time. Gone are the days when silence or inactivity were good enough to collect consent (e.g., pre‑ticked boxes do not constitute valid consent). That’s where the legacy data conundrum comes in, making the upcoming changes in GDPR a little more confusing.
Legacy data – what is it?
Legacy data can be described as information or personal data which has been stored in an old or obsolete format or computer system that is, therefore, difficult to access or process when required. Once this data is moved over to a new system and set of processes, it’s still legacy data, and will need to be treated in a very specific way. The question on everyone’s lips is: ‘What will happen to the personal data your company has collected under pre-existing data protection laws once GDPR and explicit consent is fully enforced?’
Legacy data – what needs to be done
With most information being foggy around the usability and maintenance of legacy data post-GDPR enforcement, some things are very clear. It’s not a safe bet to rely on leniency over legacy data and explicit consent issues. When asked about whether or not we can still use legacy data that has been collected in line with past legislation, Steve Wood, the UK’s Information Commissioner’s Office Head of International Strategy and Intelligence recently commented at an IAPP event: “Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.” He continued: “What you will see is a common-sense, pragmatic approach to regulatory principles.” Keeping that in mind, the only logical approach is to adopt a strategy for re-consenting and re-permissioning before the deadline hits. All old personal data will have been collected in a way that will become obsolete as of May 2018, and no grandfathering privileges will be observed for legacy data in the aftermath.
Legacy data & email marketing
On the topic of legacy data and direct email marketing – things can be approached a little differently. For current customers and email subscribers you will need to be ready to supply proof of an existing customer relationship and provable subscriber consent. For lapsed customers and inactive email subscribers you will not be allowed to use their personal data any longer and will need to delete unnecessary information and roll-up into reporting data. If you have active subscribers on your email lists but do not hold provable explicit consent, it may be possible that this activity in itself can constitute as proof of a current existing customer relationship. You’ll need to prove the value of the content you are delivering and its functionality as a stand alone service. You’ll also need to prepare for a case around the perceived loss that would be suffered should the deliveries cease.
A solution to legacy data uncertainty
We recommend avoiding the hassle and availing of a service within our platform whereby you can ingest your legacy databases and batch email all legacy data subjects to requests fresh explicit consent in one click. From there you have an audit-able log of data subjects who to consent to your term and those who have rescinded consent. You can set rules to automatically purge non responders from your database. With PlanetVerify you can manage, verify and store your customers personal data from one dashboard. Collect all new personal data through the same systems going forward. Free up your time for Q1 of 2018, forget about GDPR compliance, and shrug off SARs stress.