The GDPR: Your questions answered, Part 1

Vuelio was thrilled to be joined by Rowenna Fielding, senior data protection lead at the data protection consultancy Protecture, for our recent webinar: GDPR for Comms – Expert Advice to Get It Right. Unsurprisingly, we had dozens of questions to get through and couldn’t manage to answer them all on the webinar itself.

We split these questions into two parts: general questions about the GDPR and those specifically about using Vuelio in relation to the GDPR. Rowenna has very kindly answered the general questions below, the second part focusing on Vuelio is available here.

How active does consent have to be? For example, if someone was to add their email to a list knowing they will be updated with an email (“Add your email to stay updated”) would they still need to opt in?
Adding their name to the list would be the opt-in in that case. However, if you collected the email for another purpose (such as sending a meeting invitation) then you’d need to get consent separately for marketing. ‘Bundling’ consent (eg, ‘by consenting to x, you also consent to y’) is not allowed as it is not specific and unambiguous. Similarly, inferring consent (eg ‘by visiting this website you consent to your data being processed’) is also not valid, as consent it is not specific, unambiguous or freely-given. The outcomes you’re looking for are:

• The person giving consent should never be surprised to find that they’ve agreed to something
• The person should never be surprised to realise what they have agreed to
• You can show some evidence that they took some positive action to agree to a specific type of processing of their own free will, having been given enough information to make an informed choice

If we remove all information about someone from our database (based on their right to be forgotten and removed), can we store any information on them in order to ensure they are not added back (e.g email in a blacklist)?
Chances are that although they have asked to be forgotten, what they really wanted was to object to your processing – not quite the same thing. If the outcome they are seeking is not to hear from you any more, then you must keep their info for suppression purposes. I advise explaining to them that you need to keep the info to prevent future comms being sent to them but that you won’t use the data in any other way. However, if they insist on erasure then you’d need to look at the legal basis for processing to determine whether that right even applies. Someone who has asked to be erased shouldn’t turn up on the database again unless they explicitly opt-in anyway, unless you’re buying in email contact lists which is a very risky practice, compliance-wise.

If we email our contacts asking for their consent, can we still keep sending them stuff if they don’t reply at all?
If you don’t already have their consent (or soft opt-in) for email marketing, then it is unlawful to email them to ask for it. If you ask and don’t get an answer, that’s the same as a ‘no’ – only a positive action to indicate agreement can be consent. If you carry on emailing them without consent, you run a much greater risk that complaints will result and trigger an ICO investigation.

If a client asks for our media list with journalists on, would we need to tell each we are passing the information on?
Depends on where the information came from, how, what you’ve already told the journalist about how you’ll use their information, whether the information could be obtained anyway from public sources, what the client is going to do with the information… If handing out the journos’ contact info is something you do often then that’s the sort of thing you do need to put into a privacy notice and call the journalists’ attention to.

Would a footer on your email sign off stating that you hold data be sufficiently clear?
It’s one way to communicate privacy info, but since no one actually reads email footers, you might have a difficult time demonstrating that it is an effective approach. Linking to more detailed privacy info in an email footer certainly doesn’t hurt and gives wider exposure but if it is a standard footer then the information given would either need to be large in volume, or so generic that it doesn’t actually meet the GDPR Article 13 and 14 requirements.

Are opt-in checkboxes on landing pages and websites enough for compliance for digital marketing campaigns (i.e. downloads, subscriptions)?
Opt-in mechanisms are one aspect, suitable privacy information, unsubscribe links in each message, an accurate up-to-date suppression list and audit trails of consent given are all required. Then, the personal data has to be processed in compliance with all of the principles.

NB: Yes/No sliders or radio buttons are better than tick boxes, as tick boxes create ambiguity about intention where someone who has previously ticked fails to do so a second time.

What are the rules within the historical archiving? When do exemptions apply?
If the processing is necessary for historical archiving, then that’s an acceptable legal basis (ie no consent needed, some rights including erasure and subject access are limited, no need to go back and tell data subjects that’s what you’re going to do), but a risk assessment of the potential impacts to the data subjects’ rights and freedoms is required and steps need to be taken to manage those risks. Depending on the processing and the types of data involved, this could vary from not publishing the data for at least 100 years, to redacting names or other identifiers, to only using aggregated statistical information (those are just hypothetical examples, not a checklist!).

How long are we able to keep records for?
It depends on the purpose of the record-keeping, any legal obligations for record-keeping, business/operational needs for the data to be preserved and a balance against rights and freedoms of the data subjects. That one is impossible to answer generically, it needs digging into ‘what records and why would you want to keep them’?

GDPR says you can keep them as long as you need them but it’s up to you to justify how long that is and you have to be able to prove that you really need them, and you’re not just keeping them hanging around in case they turn out to be useful later.

If we have thousands of emails going back to 2005 from press and clients, do we have to delete them all? The problem is we have sometimes had to refer back to some of them so to delete them all would clear all records of any agreement?
You need to review them to determine which to keep and which to delete – that will depend on the purpose of processing the personal data in the first place, and the legal basis. You could just delete them all – that would be much easier than going through them! However, you can’t just keep them all either in case there is useful info tucked in there. You need to define what you want to keep and why (such as, records of transactions, agreements, complaints) and get rid of anything that doesn’t fall into that critieria.

If you gather emails through a third-party email platform, is there anything additional you need to do?
If the third-party is just a Processor then you need to have done some diligence on their data protection compliance, you need contract clauses addressing data protection to be in place and you should be doing some kind of checking or monitoring that they are doing the things you’ve told them to (and not doing anything you haven’t told them to).

Some US-based services are problematic because they are not just Data Processors. They use the personal data that travels across their services for their own commercial purposes, such as profiling for targeted advertising, selling insights or access to data for marketing purposes to other parties, and sending their own marketing comms. You need to read the Ts&Cs and privacy info very carefully – in general, it’s lower-risk to use an EU-based provider, for reputational protection if nothing else.

We use an American email service, will it be contravening GDPR because the data goes via a server in the US?
It’s not the US transfer that’s the problem., it’s the processing that the platform may do as a Data Controller (profiling, marketing, cross-customer data-matching, augmenting data from third party sources) which you could be exposing your subscribers to without an appropriate legal basis or transparency info.

What is the best way to get informed consent when people are signing up (e.g. to a mailing list) using a paper form? Is it necessary to show them a printed copy of your entire privacy notice?
There’s no ‘best’ way, really. The only privacy info they need to be given at the time of consenting is the stuff that’s relevant to what they are consenting to. So, if you are asking for consent to send email marketing, you’d need to tell them about any embedded tracking, data augmentation using third party sources, and what sort of content they can expect to receive (the purpose of the processing). If your privacy notice is one huge document that tries to cover everything, then you’re doing it wrong! You also don’t have to supply the information in hard copy. See the ICO’s Privacy Notice Code of Practice for more detailed guidance.

What consent is required for taking a photo for a news release or social media feed and then storing it and reusing in a publication? Must they tick every box, for example: ‘you can use my photo on: website, social media, corporate publications etc. Or can it be a catch all paragraph giving permission to store and use on any comms channel and just give examples within that paragraph?
It depends on the purpose that the photo will be used for. Journalistic (ie informing the public rather than marketing) uses have a large exemption so consent would not be needed (although a model release for image copyright purposes may be advisable – but that’s a totally different thing for a different law). Consent must be specific to the purpose and the types of processing associated with that purpose – so just listing channels wouldn’t be suitable unless the photo would be used on all of those channels for exactly the same purpose. Catch-all/blanket consent for any possible future use is never valid. In every case, you need to look at the purposes of taking and using the pictures, determine the legal basis for that, provide suitable privacy info, inform people of their rights, have processes in place for objections (where those apply) and good record management to support subject access or erasure requests later.

What words would we need in a contract in terms of providing a service to clients?
Depends on the service you’re providing! Impossible to answer that without more info; that’s the sort of advice you’d need to hire a data consultancy for.

What is changing with the GDPR in Open Source Communities that use ‘Open access’ Database?
The GDPR doesn’t change much in principles and obligations, so if everyone using that resource is doing so in compliance with the Data Protection Act 1998 then all they need to do is some additional record-keeping and a review of any consent that may be needed. However, if data protection has not been designed into the structure and uses of the database, then there may be a lot of work to do. That one’s impossible to answer without much more specific information on who the Data Controllers are and the purposes of processing!

If you’d like to make sure your comms is compliant with the GDPR in time for 25 May, then get in touch and we will help you out.