Interview: Using personal data in digital onboarding processes

gdpr personal data

Data protection continues to be a hot topic, not only in Sweden, but on a global level. Roaring works with customer data management in many different contexts, and has found a common use case among companies we speak to, which is the creation of digital registration processes with collection and verification of personal data.

Anna Lööv, partner and founder of Kompass Advokat, specializes in, among other things, data protection issues. In this episode of ‘Inside CDM’, we discuss the use of personal data in various customer-related processes, customer data management from a life cycle perspective and how to ensure GDPR compliance.

Note: Podcast below was recorded in Swedish.

To get us started Anna, what should you consider when using personal data in digital registration flows? What should you keep in mind when building your process?

"To start with, you should always aspire to process and manage as little customer data as possible, according to the principle of data minimization in the GDPR. Furthermore, you should have a clear purpose of usage for the data you collect."

“IMY (Swedish Authority for Privacy Protection) has identified and cracked down on processes such as checkout solutions or digital registration processes, when it is built in a way that enables others to use it as a lookup service. For example, using someone else's social security number to obtain the person's address, due to an autofill feature in the process."

“In light of this problem, IMY has developed alternative, approved ways of using and presenting personal data in these types of processes which include:

  1. Login through e-identification or with secure password management.
  2. Use of data in the background without presenting anything to the user or customer.
  3. Masking personal data so that the information can be confirmed by the user but doesn’t risk revealing complete personal information to an unauthorized person. (see image example)

A ‘bare minimum approach’ to data collection and management is crucial, and when building your process you should base data needs on the purpose and functions your process should fulfill. Collecting data to "maybe use it at a later stage", for example, is highly questionable from a legal perspective."

“It is also beneficial from the customer's or user's perspective, as the process becomes faster and smoother when you avoid unnecessary steps of data collection. Collect and autofill the data you require, nothing more.”

gdpr personal data masking

"Example of masking data"

When considering data management from a lifecycle perspective, what should you keep in mind when handling data from collection to deletion?

 “The General Data Protection Regulation is very clear in the sense that the data you collect, you must have a clear purpose of usage for. Meaning, when you no longer require the data, you should no longer have it in your systems.”

“If we play with the idea of marketing directed towards a customer who has made a one-time purchase online, that purchase process requires you to collect information such as personal information, payment details, shipping details etc. After the purchase is complete, the customer could possibly be classified as a prospect again, depending on the business and product of course. This would mean that the previously required data may no longer be needed for marketing purposes. It may be enough to keep certain necessities, such as an email address. When the purpose of usage changes, you need to make sure you make adjustments and use what you actually need in relation to the customer journey or lifecycle, so to speak.”

“The last thing that is important to keep in mind is that somewhere along the line, the data loses its relevance. There comes a point where, for example, a prospect has been around for too long without becoming a customer. The period of processing or handling of data is obviously different depending on the business and product, but once again, when data is not relevant it should be deleted. Data storage must be in accordance with the storage limitation principle of the GDPR, thus, you should consider creating a framework with time lapses in relation to data relevance.

The usage of certain personal data requires special permits. But you mention the purpose, how does that factor in when it comes to data such as income or citizenship, for example?

 "Basically, GDPR really only differs fundamentally between 'normal data' and 'sensitive personal data', which are certain special categories of data. The second category is information such as health status, political opinion, union memberships, criminal records and social security numbers, for example. You can normally not use such information for marketing purposes and hence, you have to be extra careful there, especially if you work with religious groups, trade unions etc.”

“General privacy-sensitive information', such as salary, a person's financial situation and similar information, is typically something that belongs to the private sphere of a person's life so to speak. There is no special guideline in the GDPR around these issues, but IMY is clear that handling of this information should be restrictive.”

anna lööv

"Anna Lööv, Kompass Advokat"

“In these cases, the customer's interests often outweigh the company needs. It is also important to ensure a high level of IT security around the handling of these types of data to avoid risks and problems.”


What about consent given by users in digital processes?

“Consent is considered a legal basis for handling personal data, which also includes sensitive information. However, it is not easy for companies to use sensitive data even if they have obtained consent. The process must very clearly inform the users of what they agree to, otherwise the consent is not valid.”

“In addition, a person should be able to take their consent back just as easily as they gave it. Meaning, as a company you must have functions and systems in place to handle that. Many consents given, for example in the case of a lot of cookie banners, are not valid consents, even more so if personal data is collected.”

“One should also keep in mind that there are completely different rules outside the EU and the EEA, where the GDPR does not apply. In an online environment it is not always clear for the user which regulation that applies to the company and therefore cookie banners for example may look different."

A lot of companies we talk to share their customer data with a third party, often entire customer registers, to carry out so-called "data cleanses" or monitor changes on an ongoing basis. What should you keep in mind when doing something like this?

“The most important thing is that you have a personal data assistant agreement with the company that is to carry out the cleanse or data monitoring. If not, both parties are in violation of GDPR. The second thing to remember is to ensure that data transfers are made in a safe and secure way, for example through encrypted transfers."


Do you have any final thoughts you want to leave our readers or listeners with?

“If you want to ensure GDPR compliance, a good starting point is the eight data protection principles (see below). If you follow them, you have come a long way!”

Article 5 - Principles relating to processing of personal data

Personal data shall be:

(a)  processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes/…/ (‘purpose limitation’);

(c)  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d)  accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods /…/ (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).