Learn what's new and how it impacts your business.
Due to the complexity of GDPR, it was widely anticipated that some things would be prioritized over others for auditing and enforcement after it went into effect in May 2018.
As we come up on the one-year anniversary of the GDPR, the more complex requirements and restrictions are beginning to become a focus for the DPA’s.
Recently, the UK Information Commissioner’s Officer (The ICO) and other EU Data Protection Authorities have started asking this question in their audits "What did you do to transform the legal basis for processing pre-GDPR data so it is now legal?”
GDPR Recital 171, relating to consent, has not been emphasized previously. But it states that all data collected using approaches that were legal at the time of collection -- but fail to comply with the newly-heightened GDPR requirements -- are now illegal to possess.
Since adoption of the GDPR, the primary focus of DPA’s has been on data breaches, and Subject Access Requests. Now, however, Recital 171, which emphasizes the very legality of possessing data, is getting more attention.
As DPAs auditing capabilities evolve and their processes and expectations mature, the risk framework and technologies being used to manage exposure must also grow and expand. This cycle of consistently evaluating risk and response is expected to continue into the foreseeable future.
A CEO of a Top 10 Global IT company recently stated that "90% of data is illegal under the GDPR" due to improper or noncompliant consent. Also, the recent ruling by the Dutch DPA that “Cookie Walls” are not GDPR compliant is causing many companies to re-think their approach to consent.
The GDPR mandates that consent must be “freely given” which requires that a data subject’s access to a product or service *cannot* be conditioned on providing consent to the processing of personal data that is *not necessary* for the contract or service. In addition, re-consenting is at best only a partial solution for two reasons: (1) companies are reporting *very low rates* of success in getting re-consent; and (2) using any personal data for which consent is not received will always require a separate non-consent legal basis. Companies are finding attempts at securing re-consent to be time consuming, expensive, and unsustainable. They are also realizing that consent *does not* work for Analytics, AI processing or Machine Learning when these uses cannot be explained to Data Subjects with specificity required under the GDPR for consent to be lawful.
Companies are beginning to understand - to their surprise - that legacy security measures like encryption, hashing, and other techniques do not support the balancing of interests necessary to establish Legitimate Interest as an alternate legal basis for possessing personal data.
Unfortunately, this is leading many to conclude that there is no good option for retaining historical personal data. Tragically, companies tend to fall into one of two camps - (i) those that are in analysis paralysis and do nothing, which exposes them to enforcement action and (ii) those that have gone so far as to delete highly valuable data to avoid potential liability simply because they do not see a better alternative. Neither is an acceptable solution.
At Anonos, we have a unique, revolutionary, and EuroPrivacy-certified pseudonymisation solution that enables organizations to legally possess personal data collected pre-GDPR in compliance with GDPR Recital 171.
Introducing SaveYourData from Anonos.
SaveYourData enables GDPR-certified compliant pseudonymisation of personal data. SaveYourData is the "state-of-the-art" in technical and organizational safeguards to enable transformation to Legitimate Interest processing.
The Anonos SaveYourData technology solution “buys more time” by allowing your organization to legally possess the data while you determine the best way to proceed with using your data in a compliant manner.
SaveYourData comes with Verifiable Proof for customers, partners, and regulators that possession of the data is protected against unauthorized re-linking or identification. SaveYourData is the ONLY GDPR-CERTIFIED compliant technology for pseudonymisation and transformation of data.
In summary, in accordance with GDPR Recital 171, possession of personal data collected pre-GDPR under legacy consent laws is now illegal to possess, and transformation of the data is required for legal possession to resume, otherwise the data must be deleted. SaveYourData is state of the art, certified technology, and enables your company to legally possess pre-GDPR personal data collected under legacy consent laws.
To start a conversation about how you can quickly and easily fix this problem and save your historical data by making it legal to possess, contact us directly.
To download the following 2 page itemized check list to evaluate your right to possess legacy GDPR data click here:
Update May 2019 : What changed?
What has changed based on feedback from Data Protection Authorities in the one year since GDPR?
Which of These Actions Works Best for Your Company?
The Guidelines on Consent Require Data Controllers to Select from One of the Following Four Actions for Analytics, AI & Machine Learning to be Lawful Using Pre-GDPR Legacy Data:
The only realistic option available for retaining personal data collected in noncompliance with GDPR requirements for lawful Analytics, AI and Machine Learning is to transform the data to another legal basis.