In this episode of the GDPR mini-webinar series Amar Singh and Chris Payne discuss the topic of collecting personal data.
Download the free accompanying study sheet here.
Amar: Welcome to Cyber Management Alliance’s mini webinar series on GDPR, General Data Protection Regulation, also called EU GDPR. I’m joined by Chris Payne; welcome.
Chris: Thank you.
Amar: We’re going to talk today about collecting personal information. Chris, definition of personal data?
Chris: So, I think the first thing that we should do is just talk about the fact that personal data and personal information are used as an interchangeable term. Funnily enough, in the regulation they’re used interchangeably as well. I don’t know if it’s a typo but we should just say that at the beginning of this series that we’re going to use those terms interchangeably as well but to mean the same thing. So, it's worth us defining this before we talk about anything else. The core principles of the GDPR centre around emotional/personal information, personal data, so, we should at least define what it is and what it essentially is is any attribute which could wholly or partially identify an individual. So, for example, your telephone number, your name, a picture of yourself, or something like that. And don’t forget that it’s partially as well; the reason why we would say that is, if you think about your home telephone number, it maybe there’s a number of individuals living there, so it identifies a subset of people, that’s still classed as personal information under the GDPR.
Amar: Excellent and we’re doing this because, just to reiterate, personal information, personal data is interchangeable because some people get very hung up that. But what’s the special category here? I mean it's called a special category, but why?
Chris: So, this is still a type of personal information however, under the GDPR, there are special provisions for this and the idea is that you shouldn't process this type of data unless you have a real genuine need to do so and if you do, then you need to explicitly have the consent of the data subjects to do so. And they include some of the more contentious subjects in the world, I guess. So, for example, ethnicity, political opinions, religious beliefs, trade union memberships, genetic data plus biometric data, health data and of course things like sexual orientation and sex life; so, all the kinds of things I guess that people maybe wouldn’t disclose in their normal day to day conversations with people. Those are classified as special categories.
Amar: As in all presentations and videos, we’d highly advise everyone listening in to seek their own professional legal advice. Nothing here is professional, legal advice. We are sharing bite-sized information about GDPR so that you can start getting on the right path. Thank you, Chris. So, now we're going to talk about the whole concept of collecting personal data and the core principles of the GDPR. Chris, what is the first principle?
Chris: So, the first principle of GDPR is that data collected must be collected and processed lawfully, fairly and transparently and what that really means is more layman speech is that you need to gain good levels of consent for collecting and processing data. And there are some expanded points on this; for example it must constitute action, consent must constitute action. What that means is you can't have by somebody pressing a submit button, that’s no longer consent, it has to be opt in, so a tick box opt in or something like that.
Amar: Ok, what about the next one then?
Chris: So, the next one, personal data can only be collected for specified, explicit and legitimate purposes. So, if for example your business activity is to distribute a newsletter and that via email, you should only be collecting data that allows you to carry out that task. So, email addresses is an obvious one, possibly name as well, but if it’s an email-based newsletter, you have no purpose in collecting telephone numbers though so, you shouldn't be collecting it.
Amar: Sorry, and for example you have no reason to collect the home address for someone.
Amar: And this is really important, although the Data Protection Act also has been saying this, but GDPR is very, very clear. So, people listening in or watching this, please pay attention to this because GDPR is very clear and very definitive if you don’t obtain and follow what its saying. So, just to reiterate, only collect information for the specified purpose.
Chris: It's probably also worth pointing out, and we will cover this is in a separate webinar, the idea of administrative fines and penalties which is been spoken about at length on social media and other types of media, but actually breaking the six core principles of GDPR constitutes one of the higher tiers of administrative fines under the GDPR.
Amar: Yes. So, if you do not follow the six core principles that we are talking about today, you’re going to have serious issues there. So what's the next principle then, Chris, in terms of adequacy?
Chris: Yes, absolutely. So, it kind of really is an expansion on the second point. So, not only do we need to make sure that we’re only collecting the data that we need, it needs to be for legitimate purposes as well. So, we can’t just have a format there that just collects data for the purpose of general marketing, it has to be specifically for the purpose, that we need it for. So, again, if we go back to the idea of the newsletter, we have to communicate to our data subjects that we are collecting it for the basis of the newsletter and we shouldn't be using it for any other purpose.
Amar: Ok, makes sense. Next one; it is the skeleton of a beautiful image there, but basically it has to be up to date. Let's dig a bit deeper into this.
Chris: Yes and I guess this is may be one of the more tougher ones to really talk about or really understand how this will be applied and I guess, to some degree a lot of the GDPR needs testing anyway. Reality is, it is just a theoretical regulation at the moment but the skeletons on there because we’ve seen this in the past. Let's say a data subject passes away and they continue to get junk mail or continue to get communications, phone calls and things like that, that puts the family under distress. Now, it's quite an extreme example but in any situation where the data that you have collected becomes incorrect, it is up to you as a data processor or controller to update that data and make sure that it's correct.
Amar: And, again, you must seek your own professional, legal advice here but one of the things you can do is keep an expiry date on the data you’re collecting. Either you use technology or some kind of a business process but every… once you determine that you're going to keep this data for twenty-four months, and you must tell the data subject that you're keeping it for twenty-four months, then there must be either an automated process or a manual process so that you can ensure that your data is up-to-date. Next one, Chris…
Chris: Yes and actually, what you said there, really kind of speaks to the heart of the fifth core principle and that is that personal data that’s now collected must have an expiry date placed on it and once you get to that expiration date, then you have an obligation as a data controller or processor to make sure you stop processing it; you can no longer use it and of course, that expiration date needs to be communicated with data subjects at the point of collection. So, we’re kind of building a story now; when you now fill out a form, let’s say it’s a web-based form, it needs to tell the data subject what you're going to use it for, how long you’re going to keep it, it needs to make sure that it gains explicit consent in collecting that data, and you need to make sure that it’s relevant to what you need it for; it cannot be expansive in general.
Amar: And if it is expires after twelve months, as what you have determined, then you cannot process that data any longer unless you have another set of permissions from that user.
Chris: Absolutely, so further consent so they can continue processing. Really important, we haven’t put in on this slide because the GDPR regulation is obviously a lot larger than we cannot fit into the presentation, but it specifically says that you cannot use the term indefinitely. So, you can’t just say ok, we’re going to have an expiration of indefinite to try and get your way around the regulation, it specifically says you can't do that.
Amar: And, as we were discussing earlier, Chris, you cannot have a fifty page TNC for someone to look at. You have to be very transparent and upfront with your people you’re collecting data from, the data subjects.
Chris: Indeed and you can see the key words listed through the six core principles - lawfully, fairly, transparency, explicit – what it’s really trying to get at is, and I think it's iTunes that has the longest terms and conditions in the world, something like that, that’s no longer acceptable because everybody knows that we don't read those, we just accept them and the GDPR really wants to get away from that because the question always becomes, well what are you signing up to.
Amar: Excellent. So, I know there’s one more bullet point, which is purposefully we’re not going to discuss that today, but we’ve brought it up because we are going to cover it in a different mini webinar. What's that about, Chris, what's that going to be about?
Chris: Yes, so, and, this final core principle is the one that is used quite often for advertising, what some would call GDPR compliant solutions or products that you should buy to become GDPR compliant, it really homes in on this final point. So, there’s going to be a separate webinar specifically on the final core principle and it’s centred around the n
otion of Security by Design, making sure that your data processing systems are secure and that covers both confidentiality, integrity and availability. So, we’re not just talking about encryption or high strength cryptography, we’re talking about the CIA triad and all these principles.
Amar: Oh boy, that’s going to be an exciting webinar. So, thank you everyone for listening in to Cyber Management Alliance’s mini webinar series. Chris Payne, our cyber expert and the Managing Director for ACS, that's Advanced Cyber Solutions. For the next episode, Chris, what are we going to talk about?
Chris: Well, if you didn't think that we’ve punished you enough with the six core principles in your ability to process data; well, actually data subjects have their own rights, their own set of rights, so that they can enact, and you as a data controller or processor are obliged to complete them.
Amar: Oh boy, all fun and good stuff. So, thank you everyone and we'll see you next time.