Many organisations have sent out direct mail with messages suggesting that all contacts must ‘opt-in’ to receive communications after the GDPR comes into effect on 25 May 2018. However, these organisations will be basing this on their circumstances and their interpretation of the law.
The UCL GDPR Preparedness programme advises you not to send out similar communications before ensuring that you are clear about the status of your data. There are many cases where you will not need to contact the persons to ask for their consent; rather, you will be required to provide them with an updated privacy notice detailing how you are processing of their information.
GDPR is a continuous process, and therefore the 25th May 2018 is not a deadline. Depending on the status of your lists, you may still be able to ask contacts to opt in after 25 May 2018.
- The approach
The GDPR programme recommends that you take a risk-based approach when deciding what action to take regarding ‘re-consenting’. The questions in this guidance note are designed to help you assess the privacy risks related to ‘communications lists’, and you should complete this exercise for each of your ‘communications lists’.
One of the central principles of the GDPR is that there will be six legal bases for processing personal data. There are three categories of data in GDPR, Personal Data, Special Categories Data and Criminal Records Data. You need to establish a lawful basis for processing for each of the categories of data which you process. For example, if you are processing a data set with both Personal Data, as well as Special Categories data, you need to establish a lawful basis for processing for Personal Data, as well as the lawful basis for processing ‘Special Categories Data’.
Where personal data is used for direct marketing purposes (“Any email communications sent to individuals at multiple organisations promoting any of UCLs services, regardless of whether they are paid for or free of charge, other than those you are already contracted to deliver to them”), two bases which are most likely to provide the lawful basis for processing are:- Consent: The individual has ‘freely given’ active consent for you to process their data for a specific purpose.
- Legitimate interest: The use of people’s data is done so in ways they would reasonably expect, and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Where personal data in a communications list is used as part of UCL Research and/or teaching a third lawful basis of ‘Public Task’ - We will process personal data ‘in the exercise of official authority’ as a body incorporated in Royal Charter, to the furthering of teaching and research in the public interest – may be appropriate.
- Determining the ‘Lawful basis for Processing’
The Information Commissioner’s Office (ICO) has created a tool to help you determine which ‘Lawful Basis for processing’ is appropriate for you.
- We are aware that across the UCL, there is considerable variation in the consent status of direct marketing and communications contacts. Some contacts have been obtained with GDPR-compliant consent, others with consent that may or may not be compliant and others without consent.
- It may still be possible to use the contact data of those who have not given GDPR-compliant consent on the basis of legitimate interest. “The legitimate interests basis is likely to be most useful where there is either a minimal impact on the individual or else a compelling justification for the processing.” However, this basis “places more responsibility on you to justify your processing and any impact on individuals. In effect, it requires a risk assessment based on the specific context and circumstances to demonstrate that processing is appropriate”.
- We are aware that across the UCL, there is considerable variation in the consent status of direct marketing and communications contacts. Some contacts have been obtained with GDPR-compliant consent, others with consent that may or may not be compliant and others without consent.
- Reviewing your mailing lists
- When you gathered the personal details in your communications lists, did you have appropriate consent for this? What data fields have been gathered in these lists and are any of the data fields ‘Special Categories of Personal Data’ or Criminal Records Data?
- Are you using the information on the mailing list for any other purposes other than its original intention, e.g. if the original purpose was to communicate newsletters, are you using this data to do secondary processing such as data mining, targeted advertising etc.?
- When you gathered the personal details in your communications lists, did you have appropriate consent for this? What data fields have been gathered in these lists and are any of the data fields ‘Special Categories of Personal Data’ or Criminal Records Data?
- Storage of the mailing lists
You should review the guidance note: Guidance note on handing personal data responsibly
- Is the mailing list stored on UCL Managed Services (UCL S: Drive, UCL One Drive, UCL SharePoint etc.)?
- Are there copies of this list anywhere, even within departmental teams?
- Who has access to these lists?
- Are these lists protected?
- Processing
- Do you transfer data outside of the EU? NOTE: If you use MailChimp or similar mailing services, if they are based outside of the EU, when you upload your list to them you are likely to be transferring data outside of the EU.
- Do you undertake any reconciliation exercise of your mailing lists to ensure that they are accurate? NOTE: If you are using a service like MailChimp, when an individual unsubscribes, the Mailchimp database is updated, however, if you store a master copy of the mailing list, and you are not undertaking a reconciliation exercise, then you are not keeping data accurate and you are potentially storing personal data when you should not be.
- Do you transfer data outside of the EU? NOTE: If you use MailChimp or similar mailing services, if they are based outside of the EU, when you upload your list to them you are likely to be transferring data outside of the EU.
- What to do once you have answered these questions
- Review your answers to the questions and assess the level of risk of privacy harm. Ask yourself, if this data were breached what harm would come to the individual?’
- If you have only gathered ‘personal data’ and not ‘special categories of personal data’ or criminal records data, then your risk of harm in the event of a breach is lower.
- If you can show that you did gather the data according to DPA (1998) then you should have the appropriate consents to retain the data.
- If you cannot show that you did gather the data according the DPA (1998) your risk of privacy harm has increased, and you should complete a Data Protection Impact Assessment (DPIA)
- If your mailing list is not on a UCL managed service, you must make provisions to move this data to the UCL managed services urgently. Please contact your local IT manager to assist you. UCL cannot secure and control its data on non-UCL managed services.
- Once the data has been moved you need to ensure that it has been securely deleted off the non-UCL managed service (e.g. Dropbox, Google Drive etc.)
- If there are duplicates of the communications (mailing) lists, you will need to review the reasons for this – every additional copy increases the risk that the data retained is not kept accurate and exposes UCL to an increased risk of breach.
- Access to the communications (mailing) lists should be restricted to those who need it and not open access.
- Excel/Word passwords are 16bit and are not suitable. Once you have moved the data onto a UCL managed storage device/or if it is already there, consider whether you need may need to encrypt the folder it is stored in. Guidance on encryption can be found here.
- If you are using a 3rd party service like MailChimp, you need to consider your processes. If someone updates their details on MailChimp how are you reconciling this with your master copy? An easy solution is to ensure that you do not hold a master copy (or duplicates) and manage the list directly on MailChimp. However, you need to determine if the individuals on your communications lists are aware that their data is being transferred outside of the EU.
- Review your answers to the questions and assess the level of risk of privacy harm. Ask yourself, if this data were breached what harm would come to the individual?’
- Conclusion
Once you have answered these questions and thought about these actions you need to consider the privacy risk of your communications list. Your response to this must be proportionate to the risk – i.e. if there is a high risk of breach and high-risk harm, then you should look to remove the risk either through a data cleanse or undertaking a re-consenting exercise. If a low risk of breach and low risk of harm, then you could take a decision not to ‘re-consent’, but you should consider whether a ‘local privacy notice’ should be provided for the future gathering of data.
Whatever decision you take on this matter staff need to ensure that they document the decision-making process, plan any work required to meet the GDPR and then action this work.
- Where can I get assistance?
If you have any doubts about the privacy risk, you should complete a DPIA.
If you require assistance with completing this checklist, you should contact the GDPR Programme at gdpr@ucl.ac.uk
If you feel that you have a very high-risk list and are concerned that you are not able to reconcile the level of risk you should contact the Data Protection team at data-protection@ucl.ac.uk