When GDPR comes into force, those found to be non-compliant could face fines of up to 4% of global turnover. One of the main issues to contend with is how you store information after gaining customer consent.
It was a topic The Supper Club’s exclusive membership discussed, with their opinions being the crux of a recent report. Titled Beyond Compliance, the report maintained businesses should keep records of processing activities.
“An information audit across your business will ensure you know exactly what personal data you hold, where it came from and who you share it with,” the report’s writer, Alex Evans said.
“To avoid being impacted by any breaches outside your control, you should conduct due-diligence on your supply chain. Check obligations in contracts to ensure suppliers and contractors are GDPR-compliant.”
If your supplier gathered the information, it’s in your best interest to ascertain how they gathered it. Record whether permission was really given. It’s just as important to know where suppliers currently store data, Evans explained.
“Check your suppliers and any systems that store your customer data to confirm where it’s hosted,” he said. “Document everything so you can produce upon request.”
When it comes to the storing of data, The Suppler Club member Peter Borner pointed out that it wasn’t necessary to keep the information within the EU. As senior consultant to The GDPR Guys, Borner contends with GDPR-related questions each day. Whether data needs to be stored in the EU pops up frequently.
“Data can be stored in the US,” he said. “However, sufficient safeguards must be in place when transferring data out of the EU. We recommend a General Data Processing Agreement (GDPA) between entities inside and outside the EU. This is a legal document signed and adopted by all companies within a group, which sets out how they all agree to secure and protect personal data they share.
“If you cannot get a GDPA then you have to rely on standard clauses (as defined in the GDPR). AWS and Microsoft rely on the standard clauses. Simply relying on the US Privacy Shield is not sufficient. All transfers to third countries will have to be correctly and fully documented in your Article 30 records.”
Backed by its exclusive community of high-growth entrepreneurs, The Supper Club delves into the subject of garnering consent for the processing of personal data ahead of 25 May 2018.
He reminded that data can only be stored for as long have you have legal grounds for storing it. Financial data is often stores for up to ten years. Employee data, however, should be kept until you no longer need to defend yourself at a tribunal.
“Customer data is generally stored for the length of your normal sales cycle,” Borner explained. “It is a case by case decision. The implications of this are that you may be able to refuse a request for erasure because you have the legal grounds for keeping the data for longer.”
While this is true of new data, Evans highlighted the lack of explanation around how historical information should be stored. According to the Supper Club members, as long as you can justify where you obtained the data from and that consent was given, you should be able to keep it after GDPR takes effect.
None of these changes should be viewed as a boon to business. In fact, as Evans suggested, “the deadlines is an opportunity to clean out your databases and ensure your marketing is targeting only engaged individuals.”