MayDay: questions and concerns from last-minute GDPR compliance seekers….

It’s been a very long week ushering in the infamous and inevitable May 25th GDPR enforcement go-live date.  I’ve been calling this day “MayDay”. 

May 25th 2018 is going to feel like a Y2K moment to me, all over again. We worked very hard over many months to complete all the code rewrites, patches, checklists, and other prep well in advance of the midnight clock-tick, yet my team and I still spent New Years Eve 2000 in the data center with one eye watching computer screens and the other eye watching the TV showing all the successful ball drops across the globe and nary a global catastrophe in sight.  

This week, I’ve had a steady stream of meetings from concerned clients’, mostly operations personnel, scrambling to implement the interpretations of their legal teams relative to GDPR consent and data subject erasure. Was this about customers? No. Nearly all these GDPR questions, and from a disproportionate number of clients, were about employer and employee, namely about employee consent, internal use of cookies, and employee usernames contained within security logs.

The difference between Y2K and GDPR MayDay is that Y2K came and went.

Based on what I’ve heard this week, I think some legal and compliance teams might be overreaching a bit due to an abundance of caution, or they are stretching their interpretation of the language in this law. There is indeed a lot of room for misinterpretation since there are a great deal of broad and vague statements in GDPR.

Below are the most popular (but generalized) questions of the week.

  • What about a company’s file shares which contain working documents, presentations, emails, spreadsheets that were authored by EU persons while employed in the company (active or terminated)
  • What about company security and event logs? Most logs contain generic event information (such as successful and failed login attempts, web-trends information, appropriate usage monitoring, etc.)?
  • What about company email addresses of former employees? I ask for an example…  I hear, say you have a high-profile sales rep that quits. We use the former employee’s email address as an alias which directs the email to the sales manager so the manager can interact with the client and not lose potential business just because the sales rep decided to quit.
  • Does the company’s employee-only Intranet portal require a specific expressed explicit consent for the use of cookies?  Really? Really. Really!

Since these questions were so very similar in nature across at least ten or more clients, I think there are probably others out there with very similar questions/concerns.  Hence, I thought it might be beneficial to use this opportunity as a way to provide some one-to-many feedback.

Obviously, your compliance and legal departments own the “compliance problem” as well as the decisions for how to interpret laws and regulations, but let’s put the relevant parts of GDPR into context so that you can interact with those teams in a constructive manner.

GDPR: The Right to Erasure

Article 17 of the EU General Data Protection Regulation (GDPR) addresses the “right to erasure” (aka, the ‘right to be forgotten’), which allows individuals to request the removal of personal data that an organization holds on them. Individuals can exercise this right when:

  • The controller no longer needs the data for the purpose that it was originally collected;
  • The individual withdraws consent;
  • The individual objects to the processing and the organization has no overriding legitimate interest in the data;
  • The controller or processor collected the data unlawfully;
  • The data must be erased to comply with a legal obligation; or
  • The data was processed in relation to the offer to a child.

Organizations can refuse to comply with a request for erasure if:

  • The processing is protected by the right to freedom of expression;
  • Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
  • The data is for health purposes in the public interest;
  • The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
  • The processing is necessary to exercise or defend legal claims.

GDPR: Consent

Many people mistakenly think that organizations MUST ALWAYS get consent to process personal data. But, consent is only one of six lawful grounds for processing personal data. If no other lawful grounds can be applied, then you would be wise to rely on consent.

The other lawful grounds are:

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfill an obligation under an employee contract.
  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
  • Legitimate interests: when a private-sector organization has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.

However, there will be times when consent is the most appropriate lawful basis, so you need to be aware of your obligations.

GDPR and Your Corporate Security Event Logs

This is a considerably popular topic.  When a company’s servers capture failed and successful login attempts, IP addresses, and other diagnostic information within security log files. This data is generally never going to be used beyond the purpose of tracking and responding to security incidents, but it must exist for investigating incidents. Therefore, there is no reason to obtain consent.

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Standard server logs with IP addresses, username and other identifying information must be disclosed in a corporate privacy policy, but you are not required to seek consent for employees or outsiders because you collect them as part of a business-critical need to prevent fraud. See Recital 49, which includes the language: “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.”

Hence, you are not required to obtain consent to collect this information because it is considered business critical and used for fraud prevention.

You should routinely purge unnecessary log files, or encrypt the archives if you are required to retain them, but you needn’t take special action beyond that.

Involve your Human Resources department

Regarding the work to implement processes such as:

  • gaining employee consent within your intranet portal or other electronic corporate systems,
  • being transparent with your employees about your security logs, and more importantly their purpose,
  • transparency that you have a legitimate legal grounds for refusing to delete former employees’ “first and last names” that typically get tagged to corporate word docs, presentation, excel, etc,

You can treat all these issues through your Human Resources organization rather than implementing technical/IT fixes for these; just include these details in an updated employee handbook and request these consents in a written form.  Remember that expressed, unambiguous consent can be freely given in written, verbal, and electronic forms

Hope this helps,

Ed

PS: If you need help getting up to speed, check out our complimentary GDPR alignment session!

Leave a Reply

x

We use cookies to ensure the best possible experience on our website. Detailed information on the use of cookies on this site is provided in our Privacy and Cookie Policy. Further instruction on how to disable our cookies can be found there.