Consent from "old" users registered prior to new regulations?

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Vollisen, Jan 26, 2018.

  1. Vollisen

    Vollisen UKBF Newcomer Free Member

    5 0
    Hi forum,

    I'm trying to figure out how we can make sure we are GDPR compliant at our company. Am I the only one struggling with finding specific answers about different things around GDPR? Sometimes I feel that all regulations, texts, and what you need to do is so generic that it's hard to wrap your head around it and how to interpret how you actually channel this into tangible actions.

    We're a software company that develops an app available for iPhone and Android. As with most apps today, you can inside our app register with e-mail so your data is safely stored with our backup - and if you ever lose the phone you can always "restore" your data on the new phone - this is a service we provide.

    Now, this data is stored with a cloud service from Google, who are GDPR compliant in terms of data handling.

    I'm trying to figure out two concrete things about how we build our consent;

    First of all - today we do not *use* this data what-so-ever in our business, the data does contain "personal data" since we are storing their e-mail on the google cloud, but the only purpose here is to be able to offer an online backup service to the user. We never use this data to extend our business or make more money.

    Would we still need a consent from the user, even if the data is not processed/used by us? By that I basically mean, do we need a consent just because of the fact that their e-mail adress is stored with us, even if the purpose of storing the e-mail is _just_ for the user - and not at all for us?

    Right, so to the second question. Let's say we have to build a consent for the above, we obviously add that in our "registration flow" so at the same time when the user is giving us their e-mail you'd have a opt-in dialogue telling the user that we need a consent in order to save their e-mail (even if that's pretty obvious, since they are registering to an online backup service) - but let's pretend we did all this still - that consent itself would only be triggered for "new users" entering that flow once we've adapted the code. We have 10000 existing users that is already registered and have already shared their e-mail with us because they want online backup - do we need to reach out to all of them and ask for their consent now that the regulations are changing? Or does this not have any bearing on them, since they registered to our app before the regulations?

    Sincerely hope I could get some valuable input here as I'm feeling a bit lost.

    Thanks so much, seems like a great forum by the way.

    /Vol
     
    Posted: Jan 26, 2018 By: Vollisen Member since: Jan 26, 2018
    #1
  2. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    Right, here we go! :)

    Topic 1. Do you need consent?

    I have mentioned on other threads that consent is not a catch all silver bullet. In fact, from what i am seeing the complexity's that it entails means it is better to avoid this as the lawful basis for processing. There are in fact 6 basis' of which you only need one (and consent is one of them). In your privacy notice you should specify the lawful basis for processing the users' email addresses. Depending on your app, you may be able to use b) performance of a contract or f) legitimate interests here....
    hxxps:// gdpr-info.eu / art-6-gdpr /

    Topic 2. Consenting current users

    This is the risk of relying on consent as your lawful basis for processing. My view would be (if you do use consent) that you would have to 're-consent' them advising of the privacy statement, their rights, why the data is being processed etc etc.

    Don't forget the privacy statement isn't a 300 page privacy 'policy' like we currently see, this should be clear, short and to the point. Guidance on this can be found online including the ICO's website.

    Also, don't forget to confirm the physical location of the data in the google cloud - if not in the UK/EEA ensure the relevant clauses in the google agreement are enabled!

    Hope this helps!
     
    Posted: Jan 26, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #2
  3. Vollisen

    Vollisen UKBF Newcomer Free Member

    5 0
    Simon,

    Thank you so much for your input. I'm more of a techie guy, so truth be told - in order to fully grasp what we need to do I've been at a few "GDPR" courses. One of the things they've pushed the most on them is "consent, consent, consent". I understand it's not a catch it all silver bullet, if I may borrow your wording - but I was under the picture that this is one of the most important parts of GDPR, and I guess this is also the one that is visible from a user perspective. We're a very small company with few constraints really - but we do have a lot of users running our app and as mentioned previously, even if we don't use their 'personal data' we do store it for the soul purpose of giving the user an option to restore their app data from their backup files.

    So, after my courses around GDPR the consent question is the one that I feel is the hardest to grasp. The right to erasure, right to get their data and such are for us quite easy tasks, as we just deciced to implement these functions as part of our app - so if the user want to be forgotten/unload their data they can just do so whenever they like.

    Sure, privacy policies has to be updated, and terms of conditions too - and we're working on those to have them make more sense and in-line with the data we do store. But I really thought the "opt in consent" was mandatory - considering we do store personal data (in our case, their e-mail addresses).

    If we don't need a consent for that, then I've really misunderstood the whole consent part I guess. Once again I feel that the more I dig around GDPR the further away from concrete actions I get :-/

    Good catch around the clauses for google cloud, we have in fact updated our agreement accordingly.

    Thanks.

    Vol
     
    Posted: Jan 29, 2018 By: Vollisen Member since: Jan 26, 2018
    #3
  4. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    Hi Vol,

    No problem at all. From what I am seeing this is a common misconception. We have to remember, currently no one is an expert, only time will tell on true interpretation (case law etc).

    However, I often see many people pushing consent as the 'only' way forward, this definitely isn't the case. What people focus on is the consent to marketing (specific clear opt in etc), they then apply this to all areas of data processing, which is potentially cumbersome and unnecessary.

    Essentially if you need to process data (i.e. email address in this example) in order to fulfil a contract with a data subject (provide functionality of the app) or the data subject has legitimate interest in using the service (using the app) there are other lawful basis' for processing. If you were to then market to those individuals using their email address of course this would be entirely different, so if you intend to send marketing material to these customers then certainly obtain consent clearly advising what you intend to do with their data.

    Even the ICO state that if it is difficult to obtain consent, use a different basis for processing!!

    ICO
    "The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis."

    Take a look here there is some good high level guidance to help you get your head around it :)

    hxxps:// ico.org.uk /for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

    Hope this helps a little more!

    Simon
     
    Posted: Jan 29, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #4
  5. Vollisen

    Vollisen UKBF Newcomer Free Member

    5 0
    That does help, and that changes a few things quite significantly for us (as pushing a few hundred thousand users to a consent wall) would essentially mean we'd lose retention just because we'd scare people with this. If this means we do not actually need that opt-in consent (again, given we don't use their data for anything else than for their own service) that's actually really great news :)

    I have one additional question, I should probably create a separate thread for this but while I have you in grip I'm going to be cheeky and just ask while I'm on a roll.

    This is probably more a general questions that literally every company is thinking about. The "second" place we store user data is in our support channel. As mentioned we have very few constraints and our user data is not at all spread out like it is on big companies with hundreds of different tools and constraints. I am really glad I am not handling GDPR on one of those companies.

    All in all, our user data boils down to two things and one tool. First, it is the backup service within the google cloud as mentioned. Secondly, the other place we have user data is our support desk tool, which is a web based client (who claims to be GDPR compliant, but I guess what they mean here is the security level and such they have).

    So, here's my example. User with an e-mail contacts us to ask a question about our app. That means that when this ticket get's created in our web based support ticket tool, their e-mail will be there. Again, it's the same thing here - the only purpose we store that e-mail is for us to be able to respond to the users, and help them sort out their issue. How should we look at this data from a GDPR perspective? Do we need to have a clear statement around how we handle their even *before* they make a support ticket to us? Once the ticket is solved/completed, would we have to delete that ticket or would it be enough if we had a housekeeping job that deleted it after X months or 1 year?

    Vol
     
    Posted: Jan 29, 2018 By: Vollisen Member since: Jan 26, 2018
    #5
  6. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    Right - you are now on it :)

    Again, you need to 'process' that data to assist/offer a service to the data subject. Therefore it is not unreasonable that the data subject will know that this is the case (assuming they want a response of course!). so in this case, same rules apply. Make sure you have a clear published data privacy statement (probably on your website) stating why, how long, rights, etc etc). The key will be to signpost data subjects to that policy, you can of course include it in all your comms, but that will be overkill, just a 'click here for our privacy statement'. In the statement, specify the retention period and then ensure that data is deleted from your systems to adhere to that (as in the housekeeping x months). From a compliance side however, make sure it is all documented (including your right to process etc). You will be the controller in this instance, so you also need to include and record the third parties processing data on your behalf (i.e. google and your helpdesk provider), demonstrate that you have done the relevant due diligence on them to ensure the data is secure andalso ensure that their processes for assisting with removal, access (and other data subject rights) link in with yours - you don't want any delays if an individual wants there data deleted!

    GDPR is about clarity, transparency and documentation!
     
    Posted: Jan 29, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #6