Do you have a purpose for collecting and keeping someone’s personal data? If not, you are hoarding data and maybe doing so illegally

According to Mayo Clinic: “Hoarding disorder is a persistent difficulty discarding or parting with possessions because of a perceived need to save them. A person with hoarding disorder experiences distress at the thought of getting rid of the items. Excessive accumulation of items, regardless of actual value, occurs.”

When the deadline for GDPR loomed on 25 May 2018, some organisations appeared to go through similar distress. The realisation started to sink in that very soon, they won’t be able to collect and keep personal data without a lawful basis. Many of them started frantically spamming their database to ask for consent to continue spamming — to the derision of many on social media.

It seemed that few organizations used GDPR compliance as an opportunity to ask themselves: Do we need all that data? Do we have a data strategy? What was, and continues to be, our legitimate interest for processing personal data?

Which incidentally is the last of the six lawful bases for processing personal data under GDPR. The first lawful basis, consent, got most of the attention for some, perhaps because their instinctive focus was on safeguarding their data hoard. I think the last basis should actually be the basis to consider first. If there was no legitimate interest, there won’t be a need to keep the data in the first place, much less spend money and effort to seek consent.

Also read: With AI and IoT playing a growing role in our lives, it’s time to be more conscious of privacy and security

For those that took GDPR as an opportunity to develop a data strategy — and do a bit of spring cleaning against that strategy — a useful thing to do would have been to consider the UK Information Commissioner’s Office of UK recommended 3 part tests of a legitimate interest for processing personal data:

1. Purpose test: What is the problem you are hoping to solve with the data? Why do we need to solve it? Who benefits?

2. Necessity test: Does processing the data helps solve the problem? Is there another way to solve the problem without processing personal data?

3. Balancing test: Does the impact of your data processing on others overrides your interest?

In a way, these considerations form the first step in developing a data strategy, of which there are at least three components:

1. What is the problem that you are trying to solve with data?

2. What is the data we need to solve the problem?

3. What governance is ensuring that the data is helping to solve the problem?

(Each of those components is an article in itself!)

So, data hoarding isn’t a data strategy. A data strategy needs to be developed before data is even collected. Not “let’s figure out if we can do something useful with all the data we inadvertently collected.” That approach to data isn’t only a costly habit to upkeep, it may even be illegal if it involves personal data.

In the emerging data economy, a major competitive advantage would be the ability to leverage data and analytics about your customers to serve them better. The trick would be to get your customers to agree with you. That you have a legitimate basis to process their data, that you will protect the data shared with you, and it is in their interest to give you permission to their data. That is, a data knight who would protect their data, not a data hoarder, who doesn’t even know where and how to remove their data even if asked to.

And so, are you a data hoarder? Or are you going to be a data knight in the data economy?

—-

e27 publishes relevant guest contributions from the community. Share your honest opinions and expert knowledge by submitting your content here.

Photo by Liam Tucker on Unsplash

The post Is your business illegally hoarding user data? How do you deal with this affliction? appeared first on e27.