One of the questions that is bugging Companies engaged in some kind of marketing to corporate executives is whether a “Work E-Mail”or “Work Phone number” , which is the “Business Contact Information” (BCI) qualifies itself as “Personal Information” (PI) under GDPR.
If BCI is PI then companies need to scrap any such information they might have collected in the past from their marketing efforts (This applies only to EU data subjects and not Indian data subjects) since the information has been collected earlier without a new “GDPR compliant Consent form”.
The GDPR consent form needs to be a explicit opt in form and also contain information on the rights of the data subject. Since these conditions were not there in the earlier consent, the marketing agencies need to stop using such data unless they are able to get a re-permission which can be obtained with a new one time request for re-permission.
There are a few who object even to sending of the re-permission request and consider it as a spam. However, if an entity earlier had a consent and now it wants to renew the consent under the new regulations, it is unlikely that any objection for such a request will stand scrutiny of any sensible Court or regulatory authority.
Though GDPR authorities may not have clarified this matter, I think it is reasonable to assume that
” If an entity has a permission to send e-mails by way of a valid consent at present and sends an email requesting re-permission including the new GDPR clauses either through a reply on the e-mail or by visiting a new web based consent form, then it may be an acceptable one-time-contact”.
In case, no reply is received, it is better to scrap the contact address and not try repeated contacts for re-permissions.
There are many consultants abroad who believe that work e-mail and work phone is undoubtedly to be considered as “Personal Information”. Some qualify the statement in respect of e-mail that if the e-mail states name@company name, it is considered personal but if it states designation@company name, it is not personal information.
I refer to two such articles that I referred to online. This reference is not to criticize the views expressed there in but only to highlight that these are the prevailing views abroad where the panic reaction to GDPR is clearly perceptible.
First is an article at beswicks.com. This is an UK based company which was in EU and is now in the transition stage after BREXIT. The author categorically states that Business E-Mail which contains the “Name” of a person is ” Personal Data under GDPR”.
The second is an article in realbusiness.co.uk. This article states that the author checked with ICO and was told that Work E-Mail is not personal information. The author stated in the article as follows…
“So, for e.g. my work email address email@example.com is that classed as personal data under the GDPR regulations? I rang the ICO (Information Commissioner’s Office) about this, and they were initially hesitant and then said it is NOT personal data, it relates to a company not a person.“
The author however disagrees with the view and holds that ICO was wrong and the firstname.lastname@example.org should be considered as “Personal Information”.
Given such opinions floating around the web, I am not surprised that many B2B marketing companies where the business executives need to take decisions on the basis of “Erring on the Safer side” would decide that BCI may be considered as PI for compliance purpose.
Of course if we accord more stringent compliance norms to data which may not require it to be so, there is no harm. So nothing prevents a company to decide all information of such nature is to be protected by adopting GDPR principles. But the cost of such compliance goes up and share holders of such companies need to bear the extra expense.
However, we need to academically debate if this tendency to “Deciding to Crawl when only required to Bend” is warranted.
It is quite possible that the authorities who created GDPR legislation and the supervisory authorities who have to supervise them may not be correct and they may be harming business in the long run by mis-interpreting the legislation. Even if hey are not, consultants who think BCI is PI will make the authorities to also think on the same lines. If so, we have a duty to question their interpretation and allow them to correct their mistakes.
I therefore place before the public my arguments why it is not correct to consider that Work e-Mail address is to be considered as “Personal Identity Information” that renders it as a GDPR risk data.
One of the principles which I would like to apply here, is that for any property to be called “Personal”, then the “Person” should have the right to create it, use it as he likes and destroy it as he likes. None of these qualities apply to the work e-mail address. I may be an employee of an organization and carry a work e-mail ID. But it is created by my corporate IT team. I am allowed to operate it while I am in employment but only for designated work purpose. I cannot delete it even if I want nor I can use it after my employment is terminated. In fact the contents may be accessible by my IT admin under a proper authority and for official requirement. There may even be a “Legitimate Interest” to decrypt content if required.
In effect, I am not the owner of this work e-mail ID. I only have limited rights to use it for the benefit of my employer. It is an ID of the employer for the employer and used by me for them. It is like the cabin, the table, the work computer, the work mobile, the company car, parking place and other assets that a company may give me for use as a perk.
It is interesting to note that the draft Indian law DISHA2018 which is the proposed Digital Information Security for Health Care Act declares in the context of the legislation that “Health Information of an individual is his property”.
GDPR however does not use the concept of “Property” for the Data subject’s right on personal information.
According to Article 4(1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
The definition of “Personal Data” is fairly wide and can be interpreted that “Any identifier” can be considered as “Personal Data” if it is related to an identifiable natural person. My true caller app may actually identify the caller and therefore any phone number is obviously a “Personal Data”. Even if the call comes from a Corporate Telephone EPBAX, my True caller identifies it with my contact for whatever intelligence it has developed.
Similarly, the E-Mail contains an embedded name and the recipient often identifies the sender’s name with the name in the e-mail ID. But quite often a prefix to an email address may not necessarily be the name of the individual.
For example “naavi9” is the prefix to my email but my name is not naavi9. But any body who receives an e-mail from email@example.com may consider naavi9 as an identifier and consider that the email address belongs to me. If they consider that naavi9 is only half the name and the full name is with the domain, then we are dealing with a different situation where Vijay Kumar is not Vijay Shankar and hence “Vijay” cannot be considered as an identifier in isolation without the appendage Kumar or Shankar.
Also, we need to identify that naavi9 is an assigned name and not necessarily my name. In this particular case, I as the owner of my name (Which according to my Aadhaar consists also of my father’s name and grandfather’s name) have assigned naavi9 for e-mail purpose and hence it is the choice of the data subject.
If the recipient recognizes it as my identity, he may not be wrong. But it is just an inference he draws and not necessarily a reality. But suppose I use naavi9 at the ujvala.com domain, it could be an ID assigned by the domain owner ujvala.com to may be one of his employees. In fact the recipient of an email naavi9 at ujvala.com may not even know if ujvala.com is a company or it is just name of some individual called “ujvala” who has created the domain. (Though .com indicates that it is a commercial entity). How can then we be sure that naavi9 at gmail.com is personal data but naavi9 at ujvala.com is not personal data?
In view of the fact that in the ujvala.com domain, the right to assign the ID naavi9 may not lie with a natural person called naavi9 , but with the organization which could be Ujvala Consultants Pvt Ltd, it is improper to consider naavi9 at ujvala.com as “Personal Data/Information”.
Secondly, in the context of collection of the e-mail ID in a B2B context, the “Intention” of the user of data is to use the E-Mail ID for marketing a product or service to the Company and not to the individual. If therefore I provide a white paper download collecting the name, designation, work e-mail and work phone number under a consent form, which may also state that I will send product information to the contact, the intention is not to use the contact data for personal marketing. Hence “Intention” of the marketer itself makes this information “Non Personal”.
It is possible that I may visit a person in his office and become his personal friend or incidentally market my personal service. But such use of “Work Contact” for “Personal Marketing” should be considered as an “Exception” if it happens unintentionally.
For example, If I contact an IT head in a company to sell him a Windows Server product and he enquires and picks up a windows personal product, then it is an exceptional instance which should come under the category of “Occassional” contact under GDPR and not intentional personal marketing.
Intention of the B2B marketer who collects the work e-mail address for further contact can be validated by the consent also.
I therefore consider that Business Contact Information should not be considered as Personal data for the purpose of GDPR and it should be handled as such.
Domain Test, Intention Test and Consent corroboration are therefore the criteria to be applied to check if BCI should be considered as PI in a given context.
As I have already stated, this is an opinion on “Why BCI is not PI” by a consultant who is academically oriented.
But for corporate managers, it is their option to err on the safer side and consider even the name of the company as “personal information” if they so desire and subject it to GDPR restrictions.
After all, a person cannot be blamed if he wants to use an Axe where your nail will do. (A proverb in Kannada-ಉಗುರಲ್ಲಿ ಹೋಗುವುದಕ್ಕೆ ಕೊಡಲಿ ತೆಗೆದು ಕೊಂಡಂತೆ ).