Consent Is Not the Only Road to GDPR Compliance!
When General Data Protection Regulation (GDPR) comes into effect in May 2018, it will require organisations to be more accountable and transparent.
Every rule in GDPR comes down to these two fundamental qualities. This, in a way, is good for organisations because it creates new responsibilities and opportunities.
We’re currently taking a very close look at the new regulations to create awareness among our valued customers – and organisations in general – and ensure that SMSwarriors’ system is in line with the law.
In doing so, we’ve noticed that there is a lot of misconception about lawful basis. Consent is the culprit which is getting the most airtime.
So, in this article we’ve decided to break down the lawful basis section of GDPR, reminding organisations that there are other possible ways to follow.
There can be many solutions to one problem. Many different roads may lead to the same destination.
In a similar way, consent is not the only road towards your GDPR compliance journey. Just because consent has been making the biggest headlines does not make the only way to skin this particular cat.
In fact, GDPR stipulates no less than six lawful basis for a data controller to process the data.
The new regulation clearly mentions that you must choose a lawful basis to process the data, there’s no getting around that.
What is processing personal data?
“Processing… means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data… it is difficult to think of anything an organisation might do with data that will not be processing.” (Source: ICO)
What is a lawful basis?
A lawful basis is nothing but the justification you have for processing the data. At any point in time, you should be able to demonstrate the lawful basis of processing in your organisation.
What are the six lawful basis?
So, if you are a data controller you should be able to prove that you follow one of the above for data processing activity.
No option is better than other, meaning you can follow any of the above to get GDPR compliant.
But here is the question that comes to mind for most people who don’t know about GDPR.
Can we follow more than one lawful basis?
The simple answer is yes.
GDPR is a compliance journey, not something you get done quickly.
It is an ongoing process.
So, in preparation for GDPR, you need to identify every data pool you hold.
For example. clients, employees/hr, prospects, suppliers, websites.
Then you must clearly record what lawful basis you are using for each data pool.
In fact, you can apply more than one to each data pool and different records within each data set.
To make it clear, a lawful basis is not singular, and it depends on the number of different data pools you handle at your organisation.
Consent and legitimate interests are the two most relevant lawful basis which we think most private organisations can make use of!
What is consent?
The data subject has given permission for the processing of his/her personal data for one or more specific purposes.
Consent must be unambiguous, freely given, specific and informed consent.
An important point to be noted is that consent can’t be bundled with all other terms & conditions.
This means consent should be separate from other terms, not pre-ticked and clearly informing the data subject of what they are consenting to.
It is necessary for you to have a serious look at how you have been originally collecting the data until now.
Most of the companies combine the consent in terms & conditions and pre-tick it.
If you have been doing the same, then you can’t use consent as a lawful basis for all those data pools like existing clients.
The recital below clearly stipulates that if the consent you have been getting until now is not in line with GDPR standards, then it’s a void consent and you can’t use the same consent from here on out.
We have mentioned in our last post that you need not re-request permission to process their data because the consent you have been getting until now is not valid anyway.
Therefore, consent is not the most appropriate lawful basis when it comes to existing clients.
Recital 171 of the GDPR, which reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”.
So, what’s the alternative?
It’s none other than legitimate interests.
You can use legitimate interests as the lawful basis for your existing clients, and that’s why you need not request your existing clients’ consent again.
But when it comes to prospects and inactive clients you need to take a different approach, because you need an existing relationship with data subject to use legitimate interests… more on that in future.
Difference between Prospects, Clients and Inactive Clients:
A prospect is someone who has provided you with contact details but hasn’t purchased your products or registered to use your services.
A client is someone who has purchased or registered to use your services.
An inactive client is someone who was a client, but not anymore. It is up to a company, depending on their nature of business and industry, to decide when a client becomes inactive. In case of SMSwarriors, a client is considered inactive after 12 months from the date of their last purchase – because it can take several months to use the SMS credits we sold.
What is legitimate interests?
Legitimate interests are the benefits that the data controller may gain from processing the data, but those benefits/interests should not override the basic rights of data subjects.
Article 6 of the GDPR, says: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where is a compelling justification for processing.” (Source: ICO)
So, if you choose legitimate interest as your lawful basis then you need you to consider the following three elements:
-Identify a legitimate interest;
-Show that the processing is necessary to achieve it; and
-Balance it against the individual’s interests, rights and freedoms.
How Can You Use Legitimate Interests Legitimately?
Legitimate interests shouldn’t be used as a band-aid just because you found an alternative to consent.
In addition, you will need to demonstrate it if required, so it is necessary to complete a legitimate interest assessment and document it properly.
Data Protection Network has published a detailed explanation of legitimate interests and template for assessing legitimate interests.
Don’t be relaxed thinking you have found an alternative to consent… there is more to it.
Just like you need a legal to basis to process data (governed by GDPR), you need another legal basis to send electronic marketing communications (governed by Privacy and Electronic Communications Regulations, e-Privacy Directive 2002/58/EC ).
Our next article will exclusively deal with marketing after GDPR.
Disclaimer: While we have checked our sources, it is important for you to seek legal advice related to GDPR compliance. This article does not constitute legal advice.