So you now have a list of all the databases you have. The issues of whether you have the right to store that data becomes a little confusing. Some people have been concerned about what data they actually have.
In order to store data about an individual you need their consent or a legitimate interest. If we take an example of providing services to a person, and we have a dispute with them. In your CRM system you have details of service provisioned, engineer notes, calls and emails. To make our life difficult the customer removes consent meaning we have to delete all this important information? Fortunately our law makers have defined another three test that allow us to store information. These are:
- Your legitimate interests – why you need this data, and are you only storing the data you need? In this example we clearly need the information but we shouldn’t store more personal information than we need. You have to balance your interests against the rights of the citizen, and believe that you can prove these interests if challenged. You need to be granular about the information just because I can store the customers details doesn’t mean I have a right to store their date of birth so I can market to them on their birthday.
- Because it is necessary for the performance of the contract (to pay salary and benefits for example)
- Because of regulatory and legal obligations (statutory audits, security obligations and so on).. so this is your accounts and payroll covered for seven years.
If you want to understand the legitimate test the ICO has prepared a simple document. You can access it here
You need to review the data you have, and decide if you have a legitimate interest and if not you need to get consent to store this information.
How you prove consent is a whole new thing. You cannot rely on a line in a contract or a pre-ticked box, it must be clear and unambiguous. Above all it most not be a pre-ticked box. The citizen must understand what they are consenting to
- the name of your organisation;
- the name of any third party controllers who will rely on the consent;
- why you want the data;
- what you will do with it; and
- that individuals can withdraw consent at any time.
You can get them to consent in anyway that is appropriate, but you must store records as to when they consented and how they consented.
If you need to get consent the ICO has another document on this which you can find here
So in summary there are two ways to legally hold data, your legitimate interests and consent. Neither is better than the other but you need to ensure you have one of them in place. The case of a legitimate test is where people will disagree, some will play ultra cautious, others will play loose and free but the majority will be sensible.
Examining our data stores in our business I can classify all as legitimate interest. We can do this as we don’t perform outbound marketing or news letters at the moment. That is something we will be doing but when that time comes we will need consent.
More to follow…..