When GDPR comes into force, those found to be non-compliant could face fines of up to 4% of global turnover. One of the main issues to contend with is how you store information after gaining customer consent.
It was a topic The Supper Club’s exclusive membership discussed, with their opinions being the crux of a recent report. Titled Beyond Compliance, the report maintained businesses should keep records of processing activities.
“An information audit across your business will ensure you know exactly what personal data you hold, where it came from and who you share it with,” the report’s writer, Alex Evans said.
“To avoid being impacted by any breaches outside your control, you should conduct due-diligence on your supply chain. Check obligations in contracts to ensure suppliers and contractors are GDPR-compliant.”
If your supplier gathered the information, it’s in your best interest to ascertain how they gathered it. Record whether permission was really given. It’s just as important to know where suppliers currently store data, Evans explained.
“Check your suppliers and any systems that store your customer data to confirm where it’s hosted,” he said. “Document everything so you can produce upon request.”
When it comes to the storing of data, The Suppler Club member Peter Borner pointed out that it wasn’t necessary to keep the information within the EU. As senior consultant to The GDPR Guys, Borner contends with GDPR-related questions each day. Whether data needs to be stored in the EU pops up frequently.
“Data can be stored in the US,” he said. “However, sufficient safeguards must be in place when transferring data out of the EU. We recommend a General Data Processing Agreement (GDPA) between entities inside and outside the EU. This is a legal document signed and adopted by all companies within a group, which sets out how they all agree to secure and protect personal data they share.
“If you cannot get a GDPA then you have to rely on standard clauses (as defined in the GDPR). AWS and Microsoft rely on the standard clauses. Simply relying on the US Privacy Shield is not sufficient. All transfers to third countries will have to be correctly and fully documented in your Article 30 records.”
Backed by its exclusive community of high-growth entrepreneurs, The Supper Club delves into the subject of garnering consent for the processing of personal data ahead of 25 May 2018.
He reminded that data can only be stored for as long have you have legal grounds for storing it. Financial data is often stores for up to ten years. Employee data, however, should be kept until you no longer need to defend yourself at a tribunal.
“Customer data is generally stored for the length of your normal sales cycle,” Borner explained. “It is a case by case decision. The implications of this are that you may be able to refuse a request for erasure because you have the legal grounds for keeping the data for longer.”
While this is true of new data, Evans highlighted the lack of explanation around how historical information should be stored. According to the Supper Club members, as long as you can justify where you obtained the data from and that consent was given, you should be able to keep it after GDPR takes effect.
None of these changes should be viewed as a boon to business. In fact, as Evans suggested, “the deadlines is an opportunity to clean out your databases and ensure your marketing is targeting only engaged individuals.”
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.