If you’re in any doubt about how much organisations value personal data, try signing up to an event. Rarely are you just sharing your name and contact information with the company to confirm that booking. Marketing departments want as much information to target future events at you, asking you to provide all sorts of data, download apps, complete surveys or follow them on social media.
You might think nothing of it at the time, and eventually you get used to instantly binning the occasional email update. But this will become a thing of the past with the EU General Data Protection Regulation (GDPR), which states that organisations must only keep data for as long as it’s necessary.
What does that really mean? Can a company justify sending event information to someone who signed up with them six years ago?
“As long as necessary”
Strictly speaking, if someone signs up for an event then the data only needs to be kept until after they’ve attended. However, organisations will be within their rights to ask attendees if they’d be interested in hearing about future events – particularly if the event they signed up for was an annual or recurrent affair.
To do this, organisations will need to prove that they have a lawful basis for keeping that contact information and any other information they hold. Many organisations will use consent – even if it poses a lot of problems – and the Information Commissioner’s Office is clear on the limits of consent. In its GDPR guidance, it says that consent should be renewed every two years.
Likewise, organisations using any other lawful basis should review its relevance at similar intervals.
If the data subject no longer consents to their data being kept, or there is no longer another legitimate interest for storing data, the organisation is obliged to destroy their data.
Become a GDPR expert
The complexity of the GDPR and the potential disciplinary action for failing to comply has created a pressing need for experts. There has never been a better time to invest in GDPR training.
Our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course provides a comprehensive introduction to the GDPR and gives you practical advice on planning, implementing and maintaining a GDPR compliance programme. It also enables attendees to fulfil the data protection officer role.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.