Let’s take a specific example of just how easy it is to breach one of these provisions. Article 14(2)(a), for example, requires that a data controller disclose “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine the period”. We have seen disastrous examples online of policies claiming to be GDPR complaint stating that personal information will be held for 6 years in accordance with UK tax law. Unless all the data you possess is being processed for specific tax record keeping purposes which has a 6 year time limit (almost impossible), this is simply untrue and will therefore be immediately unlawful and unfair (e.g. data you have collected for marketing purposes or enquiries received from customers) and will breach Article 14(2)(a), exposing you to the risk of fines. Unless you can be absolutely positive that you will retain someone’s information for a specific period of time, it is far wiser, for example, to set out the criteria on which you use to determine the period you will retain personal information for, such as whether you need to keep it as a result of a legal obligation or for as long as you have the consent of the data subject (for instance).
Lastly, what happens if the ICO comes across your non-complaint website itself? What will they think about your approach to GDPR and whether you are complying with its other, more onerous obligations? You get the idea.
If you have any questions, feel free to email us at firstname.lastname@example.org
Leave a ReplyWant to join the discussion?
Feel free to contribute!