Just shy of £100,000 of taxpayers's money was spent on inaccurate GDPR training by the House of Commons.
Misinformation about GDPR compliance means potentially thousands of pieces of legitimate electoral data were erroneously deleted.
Managing the GDPR properly means understanding not only what data should be deleted by your business, but what you can and should be retaining.
What Parliament did wrong
The issue came to light last month with this tweet from Labour MP Chris Bryant:
The House of Commons paid £97,500 for GDPR consultancy training from IT Governance without initiating a public tender.
Several MPs, including Bryant and Labour shadow minister Chi Onwurah, complained of inaccurate and overly zealous GDPR advice, which included giving the impression that all electronic constituency casework from before the 2017 general election had to be deleted by MPs.
To be told – as my staff were – that we shouldn’t keep data on constituents more than two years unless you could prove it was necessary, and certainly not more than an election, didn’t seem to show any understanding of either how MPs work or GDPR. I was concerned about it.
- Chi Onwurah
What should have happened
The GDPR is not about deleting all the personal data you hold and process as soon as it is two years old, nor is it about cleansing all data without immediate relevance or applicability.
Article 6.1 highlights the six lawful grounds for data processing:
- For the performance of a contract
- For legal compliance
- To protect the vital interests of the data subject
- For performance of a task in the public interest or in the exercise of official authority
- For purposes of legitimate interest
Clearly, an MP holding personal data of his or her constituents, even after a general election has come and gone, is not only legitimate - "my constituents expect me to have their previous details when they visit," argued Bryant - but in the public democratic interest, and is vital for the exercise of official authority i.e. an elected MP's relationship with his or her constituents.
The House therefore had every right to keep the data that it deleted.
What you should do next
The GDPR has been in force for a little under a month - if, like most businesses, you're still making the steps towards full compliance, don't follow the House of Commons's lead.
A kneejerk, no-risk purge of data isn't the way to go - in fact, unnecessary deletion of data where retention is needed for ongoing and future work is a breach of data protection, not an enforcement.
- Take the time to sensibly and comprehensively assess your data streams in relation to Article 6.1
- Don't rush to delete everything- the vast majority of your business data will serve a legitimate interest and support your business operation
- Use common sense and don't panic. The brunt of the crippling fines that the ICO can now enforce are reserved for companies who fail to report their data breaches. Some of your data may well be illegitimate or obsolete; proving that you've considered its validity and acted accordingly while taking steps to prevent and mitigate breaches will be enough to satisfy an auditor
For more information about the GDPR, download our free toolkit.