The GDPR: Your questions answered, Part 2

Vuelio was thrilled to be joined by Rowenna Fielding, senior data protection lead at the data protection consultancy Protecture, for our recent webinar: GDPR for Comms – Expert Advice to Get It Right. Unsurprisingly, we had dozens of questions to get through and couldn’t manage to answer them all on the webinar itself.

We split these questions into two parts: those about the GDPR in general and those specifically about using Vuelio in relation to the GDPR. Here are the answers about using Vuelio in relation to the GDPR, Rowenna has very kindly answered the general questions here.

If we obtain information from Vuelio such as media lists, do we still need to tell people they’re on our database?
You are a Data Controller in this scenario so you need to have your own lawful basis for processing people’s data and make this clearly available to those you’re contacting. If you’re using consent, you need to have a positive opt-in from the individual before you contact them. That means if you have not previously gained contacts’ consent to be emailed, you are not able to ask their permission as part of a consent model. Also, if you choose a consent model then you have to get an affirmative opt-in in order to use that person’s data. If they say ‘no’ or do not reply to your consent request, you can no longer contact that individual – even if they’re on the Vuelio database due to our legitimate interest.

If you have a legitimate interest, you’re not seeking permission to use the data but rather making it clear why you’re using it in compliance with the GDPR. A legitimate interest needs to make it clear why you have their data, what you’re using it for and prove you have considered your interest against their rights and freedoms in something called a balance test. This can be available in a link to a privacy policy web page or in the email you send them, but it should be specific to the situation and not generalised.

Whatever your basis, you need to have a clear means to opt out and you need to keep a record of the fact you’ve informed them of your lawful basis, in whatever manner, as this is part of the audit trail.

Can we maintain and update notes and information on individuals (ie journalists) without their consent, and do we need to share these notes with that individual if they request to see the data we hold on them?
It depends what your lawful basis for processing data is. If you are not using consent as your lawful basis for processing personal data and are instead using legitimate interest, you would not need to seek consent for keeping notes but would need to make it clear what type of notes you’re keeping and the purpose you have for keeping them, considered against the journalist’s rights and freedoms. This balance test cannot be a catch all if you are keeping different types of notes for different reasons for different journalists. The legitimate interest should be clearly laid out and made available to the journalists so they are informed of your lawful basis.

If a contact wants to know what information you hold on them, you have just 30 days to send it to them. It includes all information in spreadsheets, emails, different folders or presentations – and does include private notes you keep on them. We recommend that our clients keep everything in Vuelio, so that information is available in just one place, which makes it easy to report to the contact.

If liaising with a journalist through a third-party media database, would that need to be updated or would the responsibility be on the database company to uphold the GDPR?
You are processing their data and you are therefore a Data Controller. That means you must have clearly outlined your lawful basis for processing their data and make it available to individual you’re contacting. Vuelio has its own lawful basis in legitimate interest, which we are communicating with everyone whose data we process in compliance with the GDPR.

Our database is an excel document stored on our network (accessed only by the in-house PR team) – it contains journalist, blogger, editors etc. information. What do we do about this? How do we move forward?
Storing personal data in Excel spreadsheets makes the security of that data more fragile as it may not be comprehensively stored (is your system safe against hacks? Do all of your colleagues have access to it? Do they need to? Is there a risk someone could lose a laptop and the spreadsheet be accessible to an outsider?). There’s also a risk that if a journalist makes a subject access request – asking for every piece of data you hold on them – you’ll miss something from one of your spreadsheets as you’re relying on a manual process.

We would always recommend keeping every stage of the process inside Vuelio, so we’re able to ensure maximum software security for the data. If you’re not sure if your database is compliant, fill in this form and one of the team will be in touch.

What’s the situation for pre-existing data in the database service? That data won’t have been obtained by the client, so how is a legal basis/legitimate interest established or consent managed?
Vuelio is able to build and maintain our Database due to our legitimate interests. You need to establish your own lawful basis for your legitimate interest, which will include private contacts you’ve uploaded, and you should only hold information about them which is necessary to maintaining a good working relationship.

We can only guarantee the data we’ve uploaded in the system is GDPR compliant and would recommend you seek legal advice if you think your private or personal data that you’ve uploaded into Vuelio does not comply with the GDPR’s legitimate interests.

Is it important to centralise all data into one place, for example a CRM system or a crude Google Sheet?
We recommend keeping everything inside Vuelio, so we’re able to ensure maximum software security for the data and so you can manage subject access requests without manually searching through various programmes and documents. You do not have to keep everything in one place, but the more places you keep it, the more risk you are exposing yourself to, both in the security of the system (and a potential data breach) and a risk you will not be able to easily gather information for subject access requests if the required information is in multiple locations.

How does the GDPR impact exporting groups from Vuelio? Are there limits to what can be done with those exported contacts?
There are no limits (within legal reason) but under the GDPR it is a more complex burden. The security of the data becomes your responsibility, as does its deletion if a journalist wants to be removed from your mailing list. Excel spreadsheets and Outlook (including your sent items and inbox) become part of the GDPR chain. So, you’ve gone from one system – Vuelio – which is compliant, to at least three – Vuelio, Excel and Outlook.

If a contact wants to know what information you hold on them, you have just 30 days to send it to them. That may sound like a lot of time, but it includes any information in spreadsheets, emails, different folders or presentations. If you keep everything in Vuelio, that information is available in just one place and easy to report to the contact.

If you export information from Vuelio and then the data is accidentally lost, stolen or removed from your computer, this is a breach. All breaches must be reported to Vuelio and the ICO, and you will be responsible for the consequences of that breach. Vuelio takes its security very seriously to limit the chance of breaches and keeps its data in compliance with GDPR.

Can you give an example of a Data Processor?
A Data Processor is a company that is contractually obliged to process data on behalf of a Data Controller. There must be a contract in place explaining what the Data Controller requires and limiting the Processor’s actions to meet these requirements. A Processor is not allowed to decide how data is collected or what it should be used for, and should not use it for any other reason than those stated by the contract with the Data Controller.

Vuelio is both a Data Controller and a Data Processor. When we create our Database, we decide how that information is being collected, why, how it is stored and the process for its deletion. When our customers use the Database, they become the Controller as they are deciding which data to use, how, why and are responsible for its deletion if it is requested, and Vuelio is the Processor – contractually obliged to process the data in line with the expansive capabilities of our software.

If the client doesn’t add private contacts on the Database but requests that Vuelio adds them, who is then Processor and Controller?
If the client has supplied the contacts to be uploaded and they are being uploaded only to the client’s Database, then the client is the Controller (they’ve decided what, how and why the data was collected) and Vuelio is the Processor (contractually obliged to upload them in accordance with the Controller’s request).

If you make a request for contacts to be added to the Database and they become available for everyone, then both Vuelio and the client is a Controller.