Consent and Retention

09 August 2018

• data protection
• GDPR
• PRIVACY

There are effectively two points to consider here, firstly, the requested consent for data usage during the retention period and secondly, how the business manages the information collected in order to document and evidence as compliance.

The business should consider things such as:

• how the data is stored, i.e. primary storages such as databases; secondary storages such as email, employee contact records, printed materials and spreadsheets etc; thirdly, backups.
• The stage at which a contract occurs - this may affect the data retention

An individual who contacts a business with the intent of custom will often expect to be contacted back by the business. It would be wise for the business to record the contact details and make a note of the time and the conversation and ask the customer permission to send out information. There should also be mention that once the transaction has completed, their personal data will be destroyed, and in what time frame, taking account of any warranty periods etc.

Of course, strictly speaking, the entire information listed in Article 13 of the GDPR should be regaled to the customer, but clearly, this would be impracticable and only serve to obstruct the business's usual trading operations. The point is clarity. Customers should know about what information the business holds and why. Once the customer instructs the business to stop using and delete the information, it should do, save for circumstances which dictate otherwise (the right of erasure is not absolute). The risk-based nature of GDPR along with the Accountability Principle allows for a proportionate approach to compliance which must be documented to demonstrate compliance.

Beyond the stage of enquiry, and where the fulfilment of a contract means that personal data is required, then consent is not necessary. Further, if the business wishes to send the customer information about similar products then there is a legitimate interest in doing so, as long as it has provided to them information about its processing activities and the rest of the content of article 13.

Ultimately, where a customer contacts your business to make the enquiry then the lawful basis is not consent, it is legitimate interest. Obtain a contact e-mail address and respond with an acknowledgement and link to your Privacy Notice, or if by post, a letter with the Privacy Notice. This should go some way to showing compliance.

Remember, at this stage, they have simply made an enquiry. They should be on an enquiry list. They are not on your marketing list, and so you do not have consent to send out marketing materials such as newsletters, etc. To overcome this, you should provide these potential customers the opportunity to agree to further contact, such as through your website sign-up form.

Even after doing business with the customer, do not fall into the trap of contacting them later to allow them to update their marketing preferences. This would be considered as direct marketing and is not allowed by PECR.

Finally, remember that any contact that you have with the individual must have a clear and easy opt out.