You may be wondering whether GDPR governs the handling of personal data which you collected before GDPR went into effect on May 25, 2018. The answer is both ‘yes’ and ‘no’, but mostly yes. It’s also important to know that the UK incorporated the EU GDPR into UK law after Brexit, so you are still required to comply with the rules of GDPR if you are in the UK. In fact, the UK ICO (Information Commissioner’s Office) says quite explicitly that “The provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.”
Now, in the United States a law cannot be made retroactive. For example, in the U.S. there is a constitutional prohibition against “ex post facto” laws, meaning laws that apply to acts that occurred before the law became effective. Generally speaking this is how the laws in the UK and the EU work as well. However the UK GDPR, as with the EU GDPR, has a retroactive effect in that GDPR’s scope covers personal data processing regardless of when the data was collected. That is because the processing is happening since GDPR was passed.
Put another way, GDPR (both the UK and EU versions) would not apply to any data breach or non-compliance event where the breach or event occurred prior to the enactment of GDPR. Put even yet another way, the date of the offense dictates the law that applies.
What is important to take away here is to understand the risk of processing ‘old’ personal data now that the UK GDPR and EU GDPR are in effect, as you may have to revisit the processing activity’s lawfulness and lawful basis.
The matter of what you can and cannot do with email addresses which you collected prior to the EU GDPR and the UK GDPR going into effect can be really confusing. So, we reached out to Gary Payne, a noted EU and UK GDPR expert in the U.K. with the Gill Payne Partnership Ltd, and here is what he told us. We posed a hypothetical situation in which a user – let’s call her Susan – gave her email address to a company called Acme in 2015. Susan wants Acme’s email, and in fact ever since Susan’s email address was placed on Acme’s mailing list Susan has been opening and interacting with Acme’s email regularly. You would think that in such a situation Acme would be free and clear to continue to use Susan’s email address to email her, right? However, it’s not that straightforward.
Explains Mr. Payne, “In the example you offer, my recommendation to that organisation would be to carry out a ‘legitimate interest assessment’ (LIA) for the pre-GDPR data and offer data subjects a clear and unambiguous opt-out should they no longer wish to receive marketing info. The trick is in the careful completion and wording of the LIA.” Mr. Payne went on to explain that in this case “Acme could consider using legitimate interest on the ground that there was a relationship, and that they are now offering a clear opt-out to data subjects. If they go further and provide access for the data subjects to adjust their own marketing preferences, then they switch them to again using consent. It just needs to be carefully done, thought through, and planned.” You should note that there is a difference between business-to-business (B2B) marketing, and business-to-consumer (B2C) marketing in how ‘lawful’ the use of legitimate interest can be as the lawful basis for processing.
In other words, you can’t just rely on the fact that you collected the email address before GDPR went into effect. You have to bring the opt-in and consent for email addresses collected pre-GDPR up to GDPR standards. Indeed, the ICO says, on its page about lawful consent, that you should “Check your consent practices and your existing consents. Refresh your consents if they don’t meet the UK GDPR standard.” Note that under GDPR one is also required to be able to prove that they have lawful consent, whether gained in person, by hand, or verbally, and to show how it was obtained, when it was obtained, and how GDPR requirements were met, so it is important to document this fully.
Mr. Payne went on to explain what Acme would need to do for any email addresses which did not pass muster during the LIA (Legitimate Interest Assessment):
“For any organisation, if they are processing personal data which was collected pre-GDPR, and there is no lawful basis whether or not they have a specific purpose, they should take action to erase it and re-obtain the data in a new way. To continue to hold and process such data without a lawful basis risks significant punitive measures such as fines.” Note that “might like to” and “might need” are not a lawful basis for holding or processing personal data under GDPR, and also you should document any erasures made.
Mr. Payne provided us with the Legitimate Interest Assessment (LIA) template that they use with their own clients and has given us permission to provide it to our readers who would like it. To request a copy of Mr. Payne’s LIA template, email us here.
In addition, GDPR contains a requirement that if personal data in your possession is breached, regardless of when you first collected it, you are required to notify a supervisory authority of that breach within 72 hours of having become aware of the breach where that breach is likely “to result in a risk to the rights and freedoms of natural persons (data subjects)”. For some this is a new standard, and it applies to all personal data in your possession. Where a breach poses a ‘high’ risk the data controller will also have to notify each and every data subject affected without undue delay.
Specifically, Article 33 of GDPR says:
“Notification of a personal data breach to the supervisory authority: In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
The other main area where GDPR is agnostic in terms of when the data was collected has to do with the responsibilities and liabilities as between data controllers and data processors. By way of example, when someone comes to your website and gives you their email address, you are a data controller. When you pass that email address to your email marketing service provider, so that they can send out your newsletter, they are a data processor. It’s possible (even common) for an organization to be both a data controller and a data processor.
GDPR lays out the responsibilities and liabilities of both data controllers and data processors. Among other things, a data processor has the responsibility to be GDPR compliant in terms of how they handle the data that data controllers entrust to them. They also have to make clear to the data controller that they are GDPR compliant, and also make clear to the data controller how they can check on this to ensure that the data processor is GDPR compliant and are also responsible for notifying a data controller of potential non-compliances with GDPR, whether that non-compliance is within the domain of the data processor or the data controller. This does not depend on whether the data controller is passing pre- or post-GDPR acquired data.
This is why we advise all organizations to ensure that any data processors with which they do business have written in their contract assurances that the processor is GDPR compliant; documented due diligence is a must have. The onus though is on data controllers to have carried out due diligence prior to appointing a data processor, you cannot just rely on their word that they are compliant or hide behind statements in a contract that state they are if you have not done your due diligence.
And, while we’re talking about those contracts, the prefatory language of GDPR (which makes up the first 32 of the 88 pages of GDPR) says that if the data processor ends up not being GDPR compliant, and there is a data breach as a result, both the processor and the controller may be found to be liable.
Specifically, section 146 of the prefatory language says: “The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation. The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation. This is without prejudice to any claims for damage deriving from the violation of other rules in UK Domestic law. Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and UK Domestic law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage.”
For this reason, we also recommend that the contract between data controller and data processor contain language providing that the processor will indemnify the controller if there is a data breach owing to the processor either not being GDPR compliant or another factor within the control of the processor. Contracts from a data controller to a data processor regarding processing should include a ‘data processing agreement’, essentially a table of information laying out clearly the subject matter of the processing, the duration of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the data controller (GDPR Article 28.3).
The bottom line is that nowhere in GDPR is there any language exempting pre-GDPR data from the above requirements, so yes, you do have to take care that your handling and storage of email addresses acquired before GDPR went into effect (in both the EU and the UK) are compliant with the consent and other requirements of GDPR; and oh yes, get advice specifically about your type of processing.
No responses yet