As GDPR has now been well embedded into the vocabulary of every man, woman, child and Santa (click here for another fascinating article), it is time to take a closer look at how the principles of data protection work in practice. Something which we have seen come up regularly is the principle of purpose limitation, just because you have (or can find) the data, does not mean you can use it!
Publicly Available Data
One of the big things to remember where publicly-available data is concerned is, just because it is made public does not mean that it can be used for whatever means people want. You need to look at the context in which it was made public in and ensure that the processing that you intend to carry out is in line with the context it was made public in the first place.
LinkedIn as an example, is a platform used to allow professionals to connect, share ideas and display their professional profile, and in many cases to find employment. This means it is perfectly acceptable to use a person’s data on LinkedIn to engage in professional communications etc. It does not mean that you can use it to create a database of people who may be competing against you for a job, or in order to add them to a direct marketing mailing list.
Data Gathered by the Organisation
Another example I like to use which concerns data collected and processed lawfully by an organisation is in the case of pharmacists. A Pharmacist might collect a patients’ email address or phone number in order to inform them when their prescription is ready for collection. This data was collected for a specific purpose. Just because the pharmacist has these contact details on file, this does not automatically mean they can be added to a mailing list for marketing. To use these details for marketing would normally require the informed consent of the individual or another lawful basis. However, in this situation, the individual could be contacted about a new service that is directly related to the delivery of their prescription, for example - free home delivery or extended opening hours. This is referred to as a transactional communication. Even with this type of communication, however, the individual must be given the option to refuse these communications.
The most practical way of stopping the misuse of data in these scenarios is to ask "why do we have the data"? And if the answer is not to carry out the processing activity you are about to undertake or a directly aligned to that activity, then don’t do it. Simple? - not always. We would always advise caution and under the principle of transparency, communicate what you intend to do with the customer at the point of gathering their personal data and ask them to opt-in (tick a box). With every communication, you should also offer the option of changing that initial preference.
If you believe that the processing you are about to undertake is aligned with the original purpose for gathering the personal data, it's important to undertake a compatibility test.
The Compatibility Test
You can begin the compatibility test by taking into account (Recital 50):
- Can you identify a link between initial and intended further purposes?;
- Document the initial context in which the data was originally collected, giving particular attention to the reasonable expectations of the data subjects and taking into account your relationship with them;
- What is the nature of the personal data you have collected and does it contain any high-risk personal data or any data which may fall under the remit of Article 9 (special category data) of the GDPR?;
- What could the consequences of the intended further processing be for the data subject?;
- Are there appropriate safeguards in place for both the original and intended further processing operation (and what are these)?
- Are we relying on the same lawful basis (you need to have a lawful basis for the original processing that occurred)?
Let’s try this out for the pharmacist example above. You can give each criterion a score from 1 – 5 and a different weighting depending on your organisations' risk appetite. However, for the purposes of this test, let's just apply a FAIL or PASS result.
- The link between the two purposes is to communicate with the Data Subject. However, the actual end-purposes behind the new communication are completely different (i.e. marketing) – FAIL;
- Regarding context - the data was collected by a healthcare professional where there was an inherent expectation of privacy and confidentiality in place due to the relationship – FAIL;
- The personal data is not highly sensitive as the processing here concerns contact details. For the purposes of this example let's say the pharmacist keeps this data separate from the customers' healthcare data (which falls under Article 9), and does not intend to use this data in the marketing – PASS;
- The consequences are unlikely to be severe (though may be annoying). There is a low probability of any serious harm being done – PASS;
- Assuming the pharmacist has invested in putting appropriate technological and organisational processes in place to adequately protect the personal data that they process – PASS;
Based on this quick assessment of the further processing under consideration, more than one of the checks has failed. This should cause the pharmacist to hold off from carrying out the new processing and consider what further actions need to be taken to ensure the pharmacy is compliant with data protection.
If the outcome of your test is that the purposes are compatible, then the next step is to ensure the new processing addresses the principles of data protection. At the very least – inform the data subjects how their data will be processed. Give them the right to object, update your privacy notices, update your records of processing etc. Please note, this further processing will only be lawful if the original processing is lawful in the first place.
If the outcome of the test is that the purposes are incompatible, then it is advised that a DPIA is undertaken to fully understand the risks to the fundamental rights and freedoms of the data subject and to identify what actions are necessary to ensure the new purposes are compliant with GDPR. This may include identifying a lawful basis which may be different from that which was relied upon for the original processing.