A few bits of advice –
Do Not Panic
A very well known brand did this and deleted all of their current customer details and pledged to start from scratch, they obviously did not read the ICO’s directive on Legitimate Interest –
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
Check What You Already Have In Place To Become GDPR Compliant
Many Companies/Charities who adhere to the current DPA already have processes in place that cover a fair bit of the GDPR especially with the 8 principles of Data Protection –
- Must be fairly and lawfully processed
- Must be processed for limited purposes
- Must be adequate relevant and not excessive
- Must be accurate and up to date
- Must not be kept for longer than is necessary
- Must be processed in line with the data subjects’ rights
- Must be secure
- Must not be transferred to other countries without adequate protection
Why Not Start With Number 4 – Keep Your Data Accurate and Up To Date!
You should regularly review the information you process or store to identify when you need to correct inaccurate records, such as flag up Deceased or Goneaways update address details. Check your addresses against the PAF file (Post Office Address File) there are more than 3,000 to addresses every week. Your customers/donors are the life blood of your business/charity do not disrespect them or their wishes. One bit of bad press can destroy your brand or your charity’s reputation.
click here to check your data – it is quick, easy and the report covers what you need to know without bamboozling you with information overload, if you purchase the results the data is encrypted and ready to download immediately.
Database Management & Hosting
Of course keeping your data secure and in order is not always easy for SMC’s or the smaller Charities – At DDS we offer a (Secure) comprehensive Database Management and & Hosting package to suit your needs – What We Can Offer
Still feel a little bit overwhelmed and need to talk to someone about your data? Then please feel free to contact us here – DDS – Contact Page
Or check out the ICO’s Comprehensive Guide to the GDPR