Re: Msft Employee Perspective
It's amazing how people get GDPR so wrong...
The basic principles are:
1) Collect only the data necessary for the process, or processes, that the data is required for - do not collect other data "just because".
2) Only use the collected data for the process, or processes, that it was collected for.
3) Dispose of the data when it is no longer necessary to keep it.
There are six different permitted reasons for consent, the weakest one is explicit consent, i.e. an individual providing their details and specifically agreeing to the processing. Others, such as the collection of data for the provision of goods or services, are implicit and do not require that an individual specifically consents to their data being processed. The "right to erasure" is not all encompassing: if an individual explicitly gave consent then they can remove this consent at any time, which covers the explicit consent reason. However, if an individual provides data for goods or service then in many ways the "right to erasure" has little impact because an organisation is not required to delete factual records. An organisation should reduce the details held on the individual and to ensure that no further processing that affects the individual is performed, but that is different to complete erasure.
For example, if you run an online or mail-order shop, you do not have to delete all records of an individual that placed an order with you. You should delete, or at least reduce the information stored, after a defined period of time but that's it. On the other hand, if the same shop has a newsletter or something similar, then this is separate data consideration and this is entirely optional and an individual may require that their information is erased in this regard. Linking the purchase of an item to a subscription to such a newsletter in any way other than a very clear and optional opt-in is forbidden post GDPR, it's not permitted to make subscription to such a newsletter a requirement to the purchase.