Last week we discussed how GDPR affects data you have collected before GDPR went into effect (GDPR goes into effect on May 25, 2018). But what about the case where you have data acquired from a particular individual before GDPR went into affect, and then that individual provides you with additional data after GDPR is in effect? That is the subject of this article.
In order to understand how GDPR affects new personal data belonging to someone who had previously given you data before GDPR went into effect, we need to discuss three different scenarios:
1. Data acquired post-GDPR that is different from the data that you acquired from the individual before GDPR went into effect.
2. Updating, post-GDPR, of data that you already had previous to GDPR going into effect.
3. Situations for which it doesn’t matter when the data was acquired, it is still covered by GDPR.
Personal data acquired after GDPR went into effect that is different from the data that you acquired from the individual before GDPR went into effect
After May 25th 2018 (the date that GDPR goes into effect) if the personal data that you are acquiring from an individual for whom you also have pre-GDPR acquired data is new data, meaning that it does not exactly duplicate data already shared by the individual prior to GDPR, then that new data must be treated in accordance with GDPR just as if it is the first time you have acquired data from the individual. In other words, all GDPR requirements apply. There is no exemption for a pre-existing relationship with the individual in terms of how post-5/25/18 acquired data must be handled.
However, the pre-GDPR acquired data for that individual, so long as it is not in any way the same sort of data now being acquired under GDPR, is subject only to some aspects of GDPR. We explain this more fully here.
Example: You already had an individual’s email address, but never had their telephone number. Sometime after May 25, 2018, the individual provides you with their telephone number. That telephone number must be handled in accordance with the requirements of GDPR.
Updating of personal data that you already had previous to GDPR going into effect
If an individual provides you with an update to data that you already had previous to GDPR going into effect, that newly updated data must be handled according to GDPR.
Example: You already had an individual’s email address; now that same individual, after May 25, 2018, updates that email address. The new email address must be handled in accordance with the requirements of GDPR.
NOTE: It is anyone’s guess as to how the scenario where you already had an individual’s data prior to GDPR, and now that same individual, after May 25, 2018, newly provides you with the same data, will play out. Our best guess is that it will be determined that once you are provided with personal data after May 25, 2018, every instance of that data in your system must be treated in accordance with GDPR. We can also foresee it going the other way, but the safe bet is to assume the former, and just go ahead and treat all data in accordance with GDPR.
3. Situations for which it doesn’t matter when the data was acquired, it is still covered by GDPR.
As we discuss here, GDPR requires that if you experience a data breach, you must notify the appropriate authorities within 72 hours of discovering the breach.
This applies to all data, not just data acquired after GDPR went into effect.
Have more questions about GDPR? Submit Your GDPR Question Here
Let us help YOU get to the inbox like we've helped these others!
No responses yet