At what point does empowering individuals to be ‘masters of their own personal data destiny’ encroach on a payment service provider's legal responsibility to prevent fraud, safeguard its venture and limit criminal activity?
One of the great successes of GDPR is that it has enshrined the individual’s right to own their personal data and organisations have to let go of their past conviction that they own the data. But, whether motivated by anger, frustration or criminal activity there will be people who will seek to exploit the right to be forgotten and unprepared payment service providers are at risk of having their defenses outmaneuvered. It calls to mind the familiar saying, if at first you don’t succeed, try, try again. Or, in the case that an outcome is not to their liking, ask for the data to be erased, and start again. What do I mean by this and how is it possible? Perhaps these scenarios will resonate with you.
Scenario one: Onboarding
A fraudster applies to your business for a payment account. Your team process the application but decline it because the individual fails in some aspect of the identification and verification procedure. The declined individual then asks for the record of their application to be deleted, as is their right under GDPR.
If this request is complied with, the fraudster could submit another application, changing key details to secure success. It is reasonable for you to maintain a database of information about applications that have been declined. It is also reasonable for you to decline a request for that data to be deleted. Clearly, you should only retain the bare minimum information and be able to justify the rationale for keeping it. In your response to the request for deletion, you should explain why you are unable to meet their request.
For record keeping, remember the regulatory requirement is to retain an unsuccessful application for five years after the application has been made under a pre-contract agreement. Therefore, when I say do not fully comply I mean ‘delete’ at the data subjects request any data that you are not legally required to retain.
Scenario two: Existing client transaction information
A client has, unknown to you, been laundering money through your business. They close their account and ask you to delete their records. At this stage you have no suspicion of anything untoward.
In the case of occasional transactions or, where the business relationship has come to an end, the Money Laundering Regulations 2017 stipulate that customers records must be held for a minimum of five years. In the case of transactional data held on the customer, it should be held for a minimum of five years and no more than ten years. As before, when you respond to the request for deletion, you should explain why you are unable to meet their request.
Scenario three: Applicant (HR)
Your HR team have run a successful recruitment drive, having received 100 applications and 20 interviews for three positions. One of the unsuccessful applicants emails you to ask for their records to be deleted.
Unsuccessful job applicants feeling a little frustrated at not getting the vacancy may well ask you to delete their records under the ‘right to be forgotten’ element of GDPR. A trouble maker might ask you to delete their records with the intention that they will make a complaint for unfair recruitment practice once you have complied. Should you comply?
Like every other request: “partially” is the answer.
Industry best practice is to retain for the required timescale and not delete beforehand, even when asked, unsuccessful applicants’ data. This includes any interview notes, any communication about making any reasonable adjustments for a disability and shortlisting notes.
It is worthwhile to point out that any individual involved in the recruitment process can be held personally liable, it’s not just the company. That scares me enough to be clear on what information I am retaining and why!
Scenario four: Leavers (HR)
An employee leaving your organisation asks for their staff records to be erased. A complaint has been made against them, so they have decided to jump before they are pushed. They think that getting their record deleted ensures that any new employer will be unaware of their disciplinary.
Whether the outgoing employee is a happy or disgruntled leaver the process remains the same. Only comply with their wishes and delete any personal data that you have no legitimate reason to retain. Employee records must be retained for six years after they have left. This provides you with evidence against a legal claim for constructive dismissal or unfair dismissal which can be made against you for up to six years after the end of the contract under the Statute of Limitations Act 1980.
These scenarios show that other legislation obliges you to retain information overriding the data subject’s right to be forgotten. Let’s not forget that the GDPR itself requires you to retain certain personal information even where a data subject has:
- not given consent for you to market to them;
- removed previously given consent for no reason other than they no longer wish you to contact them; and
- asked for their data to be deleted.
This is what I term a “do not contact list” as it contains the minimal information necessary to ensure the data subject’s request not to process their data or to be contacted is met. Without this list how can you possibly comply as you would have no idea who not to contact?
My intention here is to arm you with the knowledge and confidence to feel justified in not complying ‘fully’ with a data subject’s request. The data subject may have more control over their data, but you have your legal duties to fulfil.
Be sure to document and provide your reasoning against the data subjects’ request and you will be fine.
It may seem a complex matter to balance the needs of the business with the rights of an individual but fscom is here to help. We are supporting our clients to process such requests fairly and in a timely manner without falling foul of their duties to data subjects and regulation. If you would like help on this or any other regulatory matter please get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.