It is easy to think that data protection is all about security measures and consents. But as a recent fine under the GDPR proves (albeit by the German data protection watchdog to a German company), this is not the case and the personal data journey must be managed from start to end.
Whilst a German decision won’t be binding in the UK, it’s important as they were applying the same law (i.e. the GDPR) so the rules are the same.
Recent fine
A German company has been fined €14.5 million for failings found by the Berlin DPA (Berlin’s equivalent to the ICO in the UK).
The fine comes after a pre-GDPR inspection found that an estate agency, whilst it archived its data, did not delete its old data. This meant it had the personal data of old tenants which it had no reason to keep. At this point, the Berlin DPA gave the company the chance to rectify its practices. However, it carried out a further inspection in March this year (i.e. post-GDPR and so GDPR level of fines!) where it found that the company still hadn’t taken the appropriate measures and so imposed the hefty fine!
What this means for you
You must have a “lawful basis” for processing personal data, which should be decided at the outset. However, this should be monitored and may change over the course of the relationship with the individual.
A good example of this is your customer data – you may have a valid reason to collect this whilst they are a customer, but do you still need it once the relationship ends? What about ex-employees?
The law allows you to retain certain data for certain reasons and for a certain period after the relationship has ended, i.e. the individual stops being a customer. (note: this does not mean all data). It’s unlikely there will ever be a reason to hold on to personal data forever!
And once you no longer have a valid reason, you would be processing the data unlawfully – which is what the Berlin DPA found in the above case. The data hadn’t been breached and neither did it contain sensitive data (such as health data), the company simply had no reason to still have it.
So what can you do?
You should document all data you collect and your reasons why the data is necessary. This exercise should then give you not only your “lawful basis” but also the appropriate retention period.
The ICO provides a template spreadsheet for you to record all of the necessary information here. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
But it’s not good enough to simply do the upfront leg work, complete the spreadsheet or create a retention policy and then stick it in the cupboard. Once you no longer need the data – DELETE AND DESTROY!