When asked to support the process of data audit, almost always it transpires that some personal data is collected for no purpose at all and may never be processed. For example, is it functionally important to know the age of an online training event attendee? No (assuming they are an adult.)
The analysis does not end there. Once the correct data and its purpose is identified, the data controller should be able to identify the legal basis for collecting it. There are only 4 that are of general application to businesses. For example, is it functionally important to know the gender of the purchaser of an umbrella? No, but it may be useful for segmenting a marketing campaign. As such, the legal basis for processing the gender of the purchaser is not to “fulfil the contract,” but instead “legitimate interests” – in this case to market and grow the business.
How long will any particular piece of personal data be stored for? Financial records need to be kept for 6 years of more, but the underlying credit card data is not useful after a few months. A data controller needs to be specific on each data point and be able to justify their choice of retention period, if a query is raised.
Privacy policies also need to set-out the specifics of any technology or partnerships that the data controller is relying on in order to complete its processing. These are unique to the data controller and cannot be copied from somewhere else. The data controller will need to understand and communicate whether any personal data is being shared with processors (perhaps an email marketing provider) and whether personal data is being cross-referenced with third party sources (such as address verification software) and to be open about any tracking or monitoring that is taking place using cookies or other adtech.
Finally, there are complexities around international processing of personal data. The data controller will need to explain where in the world processing takes place and if this is in a so-called “third country,” to explain to data subjects how the personal data is safeguarded. This will be different for each data controller depending on their choices of suppliers and the nature of the processing they are performing.
SMB’s Music department has launched a partnership with The BRIT School, the UK’s first and leading free performing and creative arts school, who are responsible… Read more
SMB’s Film and TV Team has advised its client 42, the UK/US management and production company (Outside the Wire, Watership Down), on the production, financing and distribution arrangements for its new film Silent Twins.Read more
In a judgment handed down on Tuesday 19th January, SMB won a claim to recover the domain name blackjack.com on behalf of our client, Hanger Holdings.Read more