Use It or Lose IT - GDPR Legitimate Use and PI Deletion
The GDPR’s “Right to be Forgotten,” also known as “The Right to Erasure,” has been hyped a great deal over the last couple of years. In fact, the Right to Erasure requires that personal information (PI) be securely deleted when requested by the individual - within 45 days - if no legal reasons require it to be kept, i.e. litigation or regulatory compliance. But what about PI collected or purchased that make up the massive marketing contact lists used for marketing campaigns etc.?
If an individual doesn’t specifically ask for it to be destroyed, can companies keep it for as long as they want? The answer is no.
Consent specifically given
Article 5(1)(e) of the GDPR attempts to address this question. It provides the general principles applicable to personal data processing and requires that PI be kept in a form which permits identification of data subjects for no longer than is necessary for the original purposes for which the PI was collected and processed. This statement obviously leaves a lot to the imagination. For example, if a company gates a white paper and collects an individual’s PI, what was the original purpose of that PI collection? Was it for marketing of that specific white paper or was it for all white papers? Can that PI be used for a sales call? How about to offer additional pieces of collateral? Could you use that PI to conduct a survey? The GDPR does not specifically call out that level of detail but its most likely that companies will interpret the consent provided for a specific piece of marketing collateral can be used for company marketing and sales purposes in general – at least until the GDPR authorities go after someone for using consent in that manner.
Use it or lose it
The GDPR’s Article 5(1)(e), which states that PI held on EU citizens be kept “for no longer than is necessary for the original purposes for which the PI was collected and processed,” is being interpreted to mean that if EU citizen contacts have not been used (again for their original purpose) for an extended period (two or more years?), they must be culled and securely deleted, even if you had attained valid consent for each contact. Additionally, Recital 39 of the GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.
Organizations need to be able ensure personal information is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
What does this mean for marketing departments?
To ensure your company is meeting all GDPR requirements, marketing/contact lists should be granularly managed and culled of unused EU contacts regularly. However, there is a way to keep contacts longer; for example in an archive - if the data is anonymized and thus no longer capable of the identification of a specific data subject.
Get control of your customer’s personal information
Archive360’s Archive2Azure intelligent information management and archiving platform is designed specifically to meet GDPR data management and privacy requirements in a cost-effective manner. Archive2Azure takes full advantage of Azure Cloud security, geo-replication, DR, AI, and Azure’s three storage tiers; Hot, Cool, and Archive, as well as WORM storage.
By storing your marketing/sales contact lists in your company’s Azure tenancy and managing it with Archive2Azure, you can set policies, including last date accessed, to dispose of contact information based on geography to ensure EU contacts are not kept for longer than directed by the GDPR.
Archive2Azure enables companies to move away from expensive on-premise data management and backup solutions and instead utilize their Azure tenancy and Archive2Azure’s management capability. By utilizing Archive2Azure, companies retain direct ownership of their data - something the “one size fits all” third-party SaaS cloud archives cannot do.
The Archive2Azure platform provides your company a greater level of control of your regulatory information management and privacy responsibilities - including responding to GDPR data deletion requests.
For more information on these subjects, check out these blogs:
- A Backup is not an Archive … But, a Cloud Archive can be an Effective Backup
- Will the New California Consumer Privacy Act Stand?
- The Privacy Shield Scheme and the GDPR
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.