Data Mining and GDPR Compliance: Dealing with Obtaining EU Personal Information from Third Parties Under the GDPR (Including a Notification Checklist!)

As the effective date of the General Data Protection Regulation (GDPR) draws near, companies that collect, process, and use data relating to EU citizens need to be thinking proactively about issues they will face under the new directive. This post summarizes the discrete issue of how companies should start to manage data mining and data usage activities. Stay tuned as we continue to keep you updated in this space.

As most are probably by now aware, the GDPR seeks to regulate the use and disclosure of the personal data of all individuals within the 28 EU member states. Though passed into law in May 2016, it does not become enforceable until May 25, 2018. Unlike most privacy regulations in the U.S., the EU defines the term “personal data” broadly—it includes “any information relating to an identified or identifiable natural person (the ‘data subject’).” This means that even the most basic contact information, such as business card details or simply a name and email address, falls under the GDPR’s protections. Public sources of information, such as a residential phone listing, are not exempted from the GDPR’s restrictions.

To legally handle EU personal information harvested from third-party sources after May 25, 2018, you should review your current practices and determine whether changes are needed to maintain compliance.

Step 1: Determine Whether Your Source Obtained the Personal Information Lawfully

While the GDPR does not prohibit acquiring prospect lists from third parties—including internet databases—its protections and restrictions apply equally to the collection and use (i.e., processing) of personal data, whether the information was obtained directly from the individual or indirectly (e.g., acquired from a third-party source). Additionally, processing personal data obtained from public databases or third-party sites for marketing purposes triggers a GDPR requirement that you be able to demonstrate that the data was originally obtained in compliance with the GDPR, and that you are entitled to use it for your own advertising purposes. Generally, this means that, to obtain and use EU personal data legally, you must verify that your data sources have themselves informed the data subjects that their personal information may be shared with others for the marketing of that recipient’s (your!) products or services, and that they consented to the use and downstream disclosure.

There is a unique potential danger in scraping data from public sources and social media platforms, inasmuch as many sites include restrictions in their terms of use against using information available on-site for marketing purposes. Hence, data captured via standard scraping or other data-mining techniques is unlikely to comport with GDPR restrictions.

Step 2: Assess Whether You Have a “Legitimate Interest” to Process This Personal Information

Once you’ve established that you’ve obtained the personal information lawfully, you must assess whether your interest in processing said information for marketing purposes constitutes a valid legal basis. It’s important to document this assessment for accountability and transparency requirements, and because, in the event of an investigation, you may be required to provide evidence a.) that the personal data processing was “necessary,”and b.) that your interest in its was not overridden by the interests or fundamental rights and freedoms of the data subjects. While we do not know at this juncture how EU authorities will interpret and enforce this provision, as of the date of this post, the European Commission has opined that an organization has a legitimate interest when processing data 1.) within the context of a client relationship, 2.) for direct-marketing purposes, and 3.) to prevent fraud or to ensure the security of its IT system.

Step 3: Notify the Data Subjects

Provided your processing of personal data from third-party sources for marketing purposes is otherwise compliant, the GDPR further requires you to notify EU data subjects when first collecting such information. This means that you must provide formal notice to the subjects within a reasonable time, not to exceed the earlier of the first communication to that person or one month from the date of first processing/collection from the data source.

Strict attention to the GDPR requires that all of the following information be communicated to the data subject:

  1. Where you obtained the information from and whether your source is publicly accessible
  2. The categories of personal information processed (e.g., name, address, email, employer, etc.)
  3. A brief explanation of the purpose for which you obtained the person’s information
  4. The applicable legal basis for your processing
  5. Your identity and contact information, along with the identity and contact information of your EU representative and your Data Protection Officer
  6. The identification of any recipients, or categories of recipients, of the personal information you are processing; if any recipient is located outside of the EU, you must also identify the legal basis for transferring information to it
  7. Your retention period, or, if there is none set, the criteria for determining the storage period, for the personal data
  8. A summary of the data subject’s rights under the GDPR
  9. A description of any automated decision-making (e.g., profiling) that will be based on the personal information collected, including the logic and significance of the consequences of such processing

As the compliance deadline for the GDPR approaches, it is increasingly important that anyone that processes the data of European citizens be aware of the law’s requirements and where they stand in terms of preparedness. When in doubt, you should confer with your privacy and data security attorney for guidance and assistance in developing tools to aide in internal assessment.