In my previous blog I had mentioned the context of EU citizens. That context needs to be changed to EU residents instead of citizens. GDPR is for EU residents. Who can be considered as EU residents? I asked for help from few consultants and they clarified it as follows:
“The EU GDPR will only apply to personal data about individuals in the Union. The nationality or habitual or tax residence of those individuals is irrelevant.”
This indicates if organization’s employees are working at client location in EU on contract, they are covered by GDPR. In that case HR scenario explained in the previous blog needs to be relooked which changes the scope and coverage of GDPR.
Scenario 2 – Marketing and Sales functions in the organization
Lot of people visit an organization’s website. They read the blogs published, register for the services required or register on the career page. Organizations also purchase databases. Marketing and sales teams do connect with contacts on social media like LinkedIn, Twitter, Facebook, Instagram etc.
All this information is gathered and stored in your organization, which is used for various purposes like cold calling, sending marketing collaterals, blogs, automated profiling etc. Your team must be careful hereon about what and how they process this information. You being the controller and processor of this information, you have a dual responsibility to protect the personal identifiable information.
If we look at the above figure, we can trace the flow of data from the EU residents (Data Subject - DS) in the Marketing and Sales functions. The details are as follows:
Information about Data Subject gets gathered as follows:
- When a DS visits the website, he or she has to fill registration form to provide details of
Contact details – Mobile number, email ID, LinkedIn profile URL etc.
- Information of DS is obtained from purchased databases.
- Marketing and sales people connect with probable leads on social media like LinkedIn, Twitter, Facebook etc. They generally start communicating after initial introduction and share marketing sales collaterals. These contacts are also used for cold calling. It will be always better to get their consent before doing all these activities.
- Collection of visiting cards in exhibitions, seminars or various other events.
All this personal information is processed through various platforms depicted above in the diagram. Make sure you understand the nature of processing that is being done and ensure your privacy notice and/or consent form informs users about these activities.
It is important to publish privacy notice and consent forms on your website. As mentioned in my previous blogs, design and implement mechanisms in your organization to handle Data Subject Access Requests.
Recently a friend’s company received an email from their prospect as follows:
‘Please stop bothering me with e-Mails I have never asked you to contact me. I will not attend the exhibition. I want you to delete all my Personal Identifiable Information from your systems immediately. I am not interested in your services. I am expecting a confirmation that you have deleted my data from your systems within the next 14 days, if I do not get this confirmation I will hand over this issue to our legal department and legal authorities in Germany which will certainly be interested as your company seems to make business in Germany. And as we all know GDPR is approaching.’
How will you handle this situation if you are in my friend’s shoes? Best way to handle it as follows:
- This is DSAR (Data Subject Access Request – Asking to forget him).
- It should be reported as an incident.
- DPO (Data Protection Officer – central authority in your organization) must act on this request.
- DPO must acknowledge the email.
- Either physically or with the help of technology DPO must ensure that data is deleted from all the systems and databases.
- Confirm with the Data Subject requesting the deletion, that their data has been deleted from all systems and databases in your control.
- Train sales people about the incident and procedure to handle such kind of requests.
- Prevent same PII (Personal Identifiable Information) to be added in the systems and databases again. If someone wants to add it, a notification must be flashed telling him/her that this PII is deleted and must not be added again. Chances are that it can be added as individual record or imported from the online databases or social media and person dealing with this same PII can be different. We must block the addition of the same PII at any cost.