Get Free Downloads
Start your GDPR today in just a few clicks
      
Get Free Downloads
Start your GDPR today in just a few clicks

Do You Have To Delete Your Data? GDPR Advice.

Tagged with gdpr, ico, data, free, freeadvice, gdprtemplate, easygdpr, gdprfree,
by Adam Brogden
in Blog

28-Mar-2018 10:04

This issue has been discussed many many many times. The question is whether you have to delete your existing data on the the 25th of May. This is surprisingly tricky and depends on a number of factors. Most important is the complicated link between GDPR and PECR. The simplest way to think about this is to just assume that they both apply – separately and together.
For example:

From now until the 25th of May:
For electronic communication, automated calls, email and SMS text marketing for example, PECR and DPA applies – you can continue to use your data as long as you can prove you have an opt-in and soft opt-ins are still valid. This means that you can prove [and this really makes prove] – that you have the persons consent. Generic consent collected by a third party which refers to ‘carefully selected third parties’, is unlikely to be acceptable. However, if you meet this criteria you a ok to keep up your marketing activity.

After the 25th of May:
So, now things get a bit more tricky. GDPR and PECR now apply. Where you have explicit consent with a genuinely collected opt-in and proof that you presented a privacy statement then you are in the clear! You need to check the details carefully but this approach is pretty safe and chances are you will meet GDPR and PECR regulations. Where you rely on legitimate interest, or contract as your lawful basis under GDPR then as long as you have documented this properly and still meet PECR then you are still good to go.

The issue comes with your old data. Chances are that you data you collected over the last few years does not meet GDPR and/or PECR regulations. Be extra careful with any data you bought from a third party – there is little [almost zero] chance that this will be legitimate post GDPR. This is a complex area but ask yourself, if ICO knock on the door can I show them:

1. the opt-in form used when I collected the data showing no pre-checked boxes and a clearly displayed privacy statement
2. the actual privacy statement content describing how we would process their data and how we would protect their rights – with version numbers, dates etc...
3. the documented lawful basis under which you collected the data and where you explained this to the data subject
4. proof that you had a valid opt-out in all your marketing messages and that you do act on them

I guess not. If you do have this – well done and I am truly sorry for doubting you.

If not, you need to take action now to either decide to delete or attempt to re- optin your data. Check Optindigo's Consent Manager – there are lots of ways to do this, and the Consent Manager might just help.

I have been involved in a few ICO investigations and I can tell you that if you suffer any sort of breach or high level of complaints you will be expected to provide opt-ins for all the data under investigation. ALL the data. Don’t risk it. Fix it or dump it.

Good luck all!