While the spotlight rests predominantly on the search for answers about GDPR, lest we forget the many open questions that remain about how GDPR will actually get implemented and enforced in practice.
The most important point about GDPR is that it is a framework. Rather than a prescriptive body of regulation, GDPR will rely upon the specific codes of practice that will be published and enforced by the Information Commissioner’s Office (ICO) in the UK, and other similar national supervisory bodies in the rest of the EU. These codes are yet to be published (as of mid-January 2018), but preliminary information is available at:
The overall GDPR document is vague in many areas. Here are three questions and areas of interest that we’ve been discussing at SalesSeek (and there’s more) that will need to be clarified further by the ICO:
1. How do Private Notes fit into GDPR?
It would seem uncontroversial to enable any person to have access to a copy of all data held about them. However, it’s not clear how competing requirements of privacy and disclosure will be managed.
For example, holding your email address is clearly “your” information, and you are entitled to know what an organisation holds as your email address. But what about private notes and opinions, such as “this customer is very difficult” or “this customer has a special discount”. In the first instance you don’t really want to share that with the customer, and in the second, you don’t want this commercially ‘in confidence’ information being more widely distributed. Yet it is clearly identifiable data about that person.
In practice, any request for data from a person will inevitably involve some form of redacting. Paragraph 63 in the GDPR preamble admits the tension here but offers no practical guidance.
What are the guidelines for that? What is acceptable/unacceptable to withhold from an enquirer?
2. How do we deal with Public Information?
The GDPR text seems to make little exception for public information. LinkedIn is an obvious source, and within the UK, the electoral roll is public – “doubly so,” since members can opt out of the public record, and so it would be assumed if not, then their address details are public. In a B2B environment in the UK, Companies House openly provides correspondence addresses and partial birthdays of directors.
Article 9, 2(e) specifically carves this public domain data out of special categories of personal data. Article 14 however, makes no such carve-out, and indeed 2(c) suggests a data subject can insist you erase public domain data about them.
All confidentiality agreements include carve-outs for information in the public domain. How does holding publicly available information affect GDPR compliance?
3. How do you remember you’ve forgotten?
Typically, when someone unsubscribes from a mailing list, their email address at least is kept as a record that they have unsubscribed. This is done to prevent other sources re-introducing that person. The literal text of GDPR suggests this is no longer permissible but is that really the intent?
Other legislation requires records retention. On-going legal cases may more specifically require the preservation of records. Presumably, these must supersede the “right to be forgotten”? The GDPR text does suggest they do but is light on specifics, especially the conflict between an individual’s right to erasure and general policy on records retention, which is ultimately as much a business decision as much as a legal one.
For all of these questions, it is hoped common sense will prevail in the ICO identification and prosecution of transgressions, but a bit more clarity would not go amiss. The confusion has driven expansion in GDPR consultancy, and everyone has an opinion, but the only organisation whose opinion actually matters has been reserved to say the least in their guidance.
While the majority of the ICO rulings have been fair and proportionate, I was surprised to see Honda fined for checking its existing database for permission to send marketing emails. That to my own mind seemed to pass the common sense reasonableness test, but obviously not theirs. Businesses in the main want to comply, and it’s precisely for this reason we need to see the detailed guidelines and codes of practice from the ICO, and preferably ahead of the May implementation “deadline”. Discover how SalesSeek is preparing for GDPR in product.