We recently attended a very helpful GDPR briefing hosted by the ACI. Approximately 25 people joined us in an open Q&A format, which was very engaging and worked really well – no 'death by PowerPoint' at 8am! Just open conversations and bacon sandwiches. A great way to start a Friday and to learn about a subject critical to our customers and the service that they provide to their customers. As this subject is widely talked about and very topical with GDPR about to come into play, we thought we would briefly summarise the discussions.
Key points:
+ Overall message – minimise all personal data held. Only keep what is absolutely required
+ Need to have defined internal processes that reflect GDPR principles (a lot of overlap with ISO27001)
+ GDPR will, for now, not replace the current 2003 Privacy and Electronic Communication Regulation (PECR) (http://www.legislation.gov.uk/uksi/2003/2426/contents/made)
+ A further regulation, 'ePrivacy', is due to follow in a year or so that will further restrict certain areas such as outbound marketing
Other points:
+ To maintain personal data, a company either needs to show specific consent OR a legitimate business reason
+ As a financial institution, you will need to either provide anonymised data to your software providers OR ensure that you work with your provider to confirm that you have explicit consent from your customers. Otherwise your software provider could be in breach of GDPR
+ Marketing
~ Under GDPR it is ok to cold-call prospects without their specific consent provided that there is a ‘legitimate business reason’ to do so. However, it is important to check that the person has not registered with the central opt-out PECR directory
~ The above may change in the next year or so when ePrivacy rules come into force
~ It is acceptable to e-mail members of groups eg. ACI & LinkedIn, provided their T’s and C’s include consent for this
~ See also (https://callcentresoftware.co.uk/blog/2017/november/can-companies-still-cold-call-under-the-gdpr/)
When it comes to cold-calling for direct marketing purposes, the GDPR views the company's interests in promoting their product as being of low importance (in the grand scheme of the smooth running of the EU), but it also sees the customers' minor inconvenience at receiving an unwanted phone call as being similarly trivial. Provided that the call is conducted professionally and all the rules are followed, the balance of needs and rights is fairly equal.
+ Internal Devices
~ Data held in datacentres eg. Office 365, Dynamics, is the responsibility of the datacentre
~ There is no need to encrypt data on internal servers provided that these are secure
~ Personal data should be removed from personal devices, laptops etc.
+ Terminology
~ Data is not considered personal if it is:
> Anonymised – completely impossible to identify individual
> Pseudonymised – a code cross reference is used to replace personal ID info
see https://www.sciencedirect.com/science/article/pii/S0267364918300153
+ Data Subject Access Request
~ An organisation has 30 days to respond
~ An individual's 1st request is free
~ The requestor can be asked if there is specific reason for the request but this is optional
~ An organisation does not need to give EVERY piece of information; it can withhold any data that may be subject to legal privilege eg. employee complaint or breach
~ An organisation cannot share information that contains personal details of another individual
~ Best recommendation is to delete data as soon as it is no longer required
> HR retention policy of 6 years for example
> A record needs to be kept of what and when data was deleted, not the data itself
We hope you found our findings as useful as we found the event. If you have any other understanding of GDPR that you think we have missed, or an outlook that you would like to share, please let us know by commenting below.