Prevent your company, zombie data: rising from the Dead

Zombie data: rising from the dead

It’s Halloween, meaning that zombies, witches and ghosts will likely be running amok in your city today. Whilst moaning and shambling zombies out for brains might not scare you anymore, there’s still one type of zombie to be afraid of this Halloween: zombie data.

Zombie data is data that you consider dead in your company, but that still lurks around somewhere, waiting to be called to life again. If you own a computer, you probably have a few zombies inhabiting it right now, because deleting a file doesn’t immediately remove the file from a system (popsci.com). The data can remain in the system for a while, even after you clear your bin. Clever Frankensteins can use programs to raise it again. Similarly, businesses may have data zombies lurking in their system or online. Whether caused by data silos that retain data that should have been deleted, data that has been passed to third parties, data traces left on hardware, or data stored in the cloud (which may be particularly good at producing zombie data), data that has not been fully deleted, can come back to haunt your company when it (accidentally, or with malicious purposes) gets raised from the dead.

With the General Data Protection Regulation coming into effect in May 2018, ensuring the data you collect can be killed forever, is important. The GDPR includes the right to be forgotten, meaning you need to be able to effectively delete personal data from your subjects (and all copies of that data) and ensure it stays dead. If data is not truly deleted when it should be, companies are in danger of being fined for non-compliance. Even worse: if clever hacker manages to bring the dead data back to life, what follows might be a proper zombie data-apocalypse.

Knowing where your data is stored, who it is sent to (inside and outside your company), how third parties manage data, where copies and backups are stored and what happens when data is deleted, is crucial for ensuring data you delete is truly dead and gone, forever. At datastreams.io we are happy to play our part in preventing the zombies from taking over your system and ensuring that the only zombies you will have to deal with this year, are the ones trick-or-treating down your street. Happy Halloween!

Consent, explicit vs. unambiguous, the difference Datastreams Blog!

Explicit vs. unambiguous consent: what’s the difference?

Consent is as crucial as it is complicated. As one of the legal grounds for data processing, asking for consent is often an important part of personal data collection. While the GDPR clarifies a lot of the confusion and vagueness about the meaning of consent, there is still some confusion over one thing: Explicit consent. The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

Delving deeper, according to various sections within the GDPR, there are two types of consent: Unambiguous consent (Article 4) and Explicit consent (Article 9.1). If the data is ordinary, non-sensitive personal data, “unambiguous” consent suffices. However, “explicit” consent is required if the data in question is sensitive data (data concerning physical or mental health data, racial or ethnic origin etc.) So, what exactly is the difference?

Explicit versus Unambiguous consent
The difference between “unambiguous consent” and “explicit consent” is not immediately a clear one. Since consent must always be informed, specific and communicated through affirmative action, it seems that any type of consent will require a data subject to be fully aware of what they are agreeing to and clearly indicate their agreement with this. Isn’t all consent that is unambiguous and informed automatically explicit? Not necessarily.

Explicit consent
Let’s start with explicit consent. Explicit consent requires a subject to clearly and explicitly agree to their personal and (crucially) sensitive data being processed.

Under GDPR Article 9 explicit consent is required for the processing of certain “special” types of personal data. Examples include racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Explicit consent must be obtained through a statement that should: “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”. (Directive 95/46/EC, Article 29).

Explicit consent, then, consists of nothing less than presenting the data subject with an explicit statement regarding the specific personal data to be collected and an explicit action by the subject agreeing with this statement (such as ticking a box saying ‘I agree’). Simply stated: the data subject should quite literally and explicitly say “I consent” for consent to be considered explicit.

Unambiguous (implied) consent
Consent for regular, non-sensitive personal data doesn’t necessarily need to be explicit, but it does need to be unambiguous. We can call this unambiguous, implied consent. Unambiguous, implied consent is best explained through an example.

Say a person wants to answer an online competition. They enter several optional pieces of information, including their email address. Above the field it is stated that ‘we will use your email to keep you up to date on special offers’. By entering their email address after reading the notice, the subject consents to giving their information (that is, their email address) without ever explicitly stating ‘I consent’ or ‘I agree’. The affirmative action of entering their email is enough to constitute unambiguous consent, even though it is implicit and not said ‘out loud’.

GDPR Consent, freely given, specific, informed, unambiguous

The five pillars of GDPR Consent

Consent has long been an important term in the world of data governance and is an important tenet of data protection law. Obtaining consent from an individual to process their data is one ways of establishing a legal basis for data processing. With the GDPR approaching, companies will have to ensure that the consent received from subjects is in line with the GDPR standards. To this end, the GDPR provides a much-needed, updated definition of consent, defining it as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Evidently, to comply with the GDPR regulations, consent needs to be:

Freely given
Consent needs to be obtained freely without coercion. Providing consent should be a genuine choice of the data subject; they should not have been intimidated or misled into providing it. Consent will not be considered freely given if:

  • the data subject has no genuine choice in providing consent or can not easily and without detriment withdraw consent.
  • There is a clear imbalance between controller and data subject (e.g. employer and employee).
  • The performance of a contract is made conditional on the subject’s consent to data processing activities which are not required for the performance of the contract.

Specific
Consent must be obtained for specific processing operations. It needs to be given (separately) for all specific processing operations covering all purposes. Blanket consent for unspecified data processing operations is not valid consent.

Informed
The request for consent should be easily distinguishable from other matters and presented in clear and plain language. A consent request can therefore not be wrapped up in a wider set of terms and conditions. Furthermore, for consent to be informed, the data subject should at least be informed about the extend to which they are consenting, the identity of the controller and the nature of the processing prior to giving consent. This should be explained in and intelligible and easily accessible form. Finally, the subject should be explicitly informed about their right to withdraw consent at any time and about their right to be forgotten.

Unambiguous
The way in which consent is obtained, should leave no room for doubt about the subject’s wishes and intentions when consenting. When consent is obtained for data that will be processed for multiple purposes, it must be established without a doubt that the subject agrees to all purposes. The controller must also be able to demonstrate that the data subject has provided consent, meaning that records need to be kept for verification.

Signified by a statement or clear affirmative action
Affirmative action is required for consent to be considered freely given, specific, informed and unambiguous. Consent can be obtained by any appropriate method such as verbally, in writing or by ticking a box. Note that silence, pre-ticked boxes or inactivity do not constitute consent. Important is also to consider that the method of withdrawing consent should be as easy as giving consent.