SaveYourData in 5 Minutes

Learn what's new and how it impacts your business.

Due to the complexity of GDPR, it was widely anticipated that some things would be prioritized over others for auditing and enforcement after it went into effect in May 2018.

As we come up on the one-year anniversary of the GDPR, the more complex requirements and restrictions are beginning to become a focus for the DPA’s.  

Recently, the UK Information Commissioner’s Officer (The ICO) and other EU Data Protection Authorities have started asking this question in their audits "What did you do to transform the legal basis for processing pre-GDPR data so it is now legal?”

GDPR Recital 171, relating to consent, has not been emphasized previously.  But it states that all data collected using approaches that were legal at the time of collection -- but fail to comply with the newly-heightened GDPR requirements -- are now illegal to possess.

Since adoption of the GDPR, the primary focus of DPA’s has been on data breaches, and Subject Access Requests. Now, however, Recital 171, which emphasizes the very legality of possessing data, is getting more attention.

As DPAs auditing capabilities evolve and their processes and expectations mature, the risk framework and technologies being used to manage exposure must also grow and expand. This cycle of consistently evaluating risk and response is expected to continue into the foreseeable future.

A CEO of a Top 10 Global IT company recently stated that "90% of data is illegal under the GDPR" due to improper or noncompliant consent.  Also, the recent ruling by the Dutch DPA that “Cookie Walls” are not GDPR compliant is causing many companies to re-think their approach to consent.

The GDPR mandates that consent must be “freely given” which requires that a data subject’s access to a product or service *cannot* be conditioned on providing consent to the processing of personal data that is *not necessary* for the contract or service. In addition, re-consenting is at best only a partial solution for two reasons: (1) companies are reporting *very low rates* of success in getting re-consent; and (2) using any personal data for which consent is not received will always require a separate non-consent legal basis. Companies are finding attempts at securing re-consent to be time consuming, expensive, and unsustainable. They are also realizing that consent *does not* work for Analytics, AI processing or Machine Learning when these uses cannot be explained to Data Subjects with specificity required under the GDPR for consent to be lawful.

Companies are beginning to understand - to their surprise - that legacy security measures like encryption, hashing, and other techniques do not support the balancing of interests necessary to establish Legitimate Interest as an alternate legal basis for possessing personal data.

Unfortunately, this is leading many to conclude that there is no good option for retaining historical personal data.  Tragically, companies tend to fall into one of two camps - (i) those that are in analysis paralysis and do nothing, which exposes them to enforcement action and (ii) those that have gone so far as to delete highly valuable data to avoid potential liability simply because they do not see a better alternative. Neither is an acceptable solution.

At Anonos, we have a unique, revolutionary, and EuroPrivacy-certified pseudonymisation solution that enables organizations to legally possess personal data collected pre-GDPR in compliance with GDPR Recital 171.

Introducing SaveYourData from Anonos.

SaveYourData enables GDPR-certified compliant pseudonymisation of personal data. SaveYourData is the "state-of-the-art" in technical and organizational safeguards to enable transformation to Legitimate Interest processing.

The Anonos SaveYourData technology solution “buys more time” by allowing your organization to legally possess the data while you determine the best way to proceed with using your data in a compliant manner.

SaveYourData comes with Verifiable Proof for customers, partners, and regulators that possession of the data is protected against unauthorized re-linking or identification. SaveYourData is the ONLY GDPR-CERTIFIED compliant technology for pseudonymisation and transformation of data.

In summary, in accordance with GDPR Recital 171, possession of personal data collected pre-GDPR under legacy consent laws is now illegal to possess, and transformation of the data is required for legal possession to resume, otherwise the data must be deleted. SaveYourData is state of the art, certified technology, and enables your company to legally possess pre-GDPR personal data collected under legacy consent laws.


To start a conversation about how you can quickly and easily fix this problem and save your historical data by making it legal to possess, contact us directly.

To download the following 2 page itemized check list to evaluate your right to possess legacy GDPR data click here: 

Click to read more...

Download Itemized Checklist

Update May 2019 : What changed?

Four things you may not know about the
legal right to possess legacy GDPR data!

What has changed based on feedback from Data Protection Authorities in the one year since GDPR?

  1. New Risk of Expensive Compliance Orders: Did you know that recent GDPR audits by the UK Information Commissioner’s Office (the ICO) and other EU Data Protection Authorities (DPAs) include the question "What did you do to transform the legal basis for processing pre-GDPR data so it continues to be legal to possess?” Penalties include: (i) temporary or permanent bans on processing; (ii) orders to rectify, restrict or erase data; and (iii) fines of up to 4% of annual global turnover or €20 million, whichever is greater, because it involves infringement of rights under GDPR Article 5 (principles) and Article 6 (lawfulness).
  2. Old Data Can Be Bad Data: Did you know that under GDPR Recital 171, relating to consent, all data collected using approaches that were legal at the time of collection -- but which fail to comply with the newly-heightened GDPR requirements for consent -- are now illegal to possess?
  3. New Burdens on Data Retention Disclosures: Are you aware that under Article 15(d), data controllers should disclose in responses to Data Subject Access Request (DSARs) the time period which they envisage storing data collected using consent approaches that were legal at the time of initial data collection but which fail to comply with new GDPR consent requirements?
  4. Data Controller Obligations and Actions: Did you know that data controllers have obligations: (i) under GDPR Article 30, to document actions taken pursuant to the Guidelines on Consent under Regulation 2016/679 (wp259rev.01) to transform noncompliant data so that it continues to be legal to possess; and (ii) under Articles 13 and 14, to disclose the purposes of the processing as well as the legal basis for the processing of previously noncompliant data? Data that was collected in noncompliance with GDPR requirements needs to be transformed so that it is legal for Analytics, AI and Machine Learning -- doing nothing means the data is illegal under Recital 171 since the GDPR does not have any “grandfather” or savings clause.

Which of These Actions Works Best for Your Company?

The Guidelines on Consent Require Data Controllers to Select from One of the Following Four Actions for Analytics, AI & Machine Learning to be Lawful Using Pre-GDPR Legacy Data:

  • Reconsenting the data: achieving 100% re-consent to transform data collected in noncompliance with GDPR requirements has been proven impracticable.
  • Deleting the data: thus, eliminating all value for Analytics, AI and Machine Learning;
  • Anonymizing the data: making it impossible to relink to identifying information thereby dramatically reducing the value for Analytics, AI and Machine Learning; or
  • Transforming the data to a new legal basis while ensuring that processing for Analytics, AI and Machine Learning is fair and accounted for, by satisfying at a minimum each of the following:
  1. Legitimate Interest processing in compliance with Article 5(1)(a) and 6.1(f);
  2. Purpose Limitation in compliance with Article 5(1)(b) and 6(4);
  3. Data Minimisation in compliance with Article 5(1)(c) and 25(1); and
  4. Storage Limitation in compliance with Article 5(1)(e) and 89(1).

The only realistic option available for retaining personal data collected in noncompliance with GDPR requirements for lawful Analytics, AI and Machine Learning is to transform the data to another legal basis.

See 5-minute explainer video for an overview of what has changed, or contact us directly.

Click to read more...

Download Itemized Checklist