GDPR and Consent
There are 6 lawful basis for processing data which will apply in different scenarios.
When to use it?
Consent is about controllers getting permission to communicate with individuals they want to send promotional messages to directly, including by email, phone or in the post.
Controllers can no longer assume individuals want to be contacted. They need to give express consent for these communications.
This means that when a company representative meets others at event, they visit a website or purchase, separate consent for marketing and other further communications must be obtained (unless another basis is used for processing).
The detail
Consent must be:
Freely given. There should be no coercion, undue incentives or a penalty for refusal. The controller cannot make it a condition for using a service or website.
Specific. This is to the type of communication requested and the organisation sending it. Thus, buying data is not valid, if recipients have not actively opted in to receive data from other organisations.
Informed and Unambiguous. Make sure the consent is displayed clearly and easy to understand so the individuals know what they are agreeing to.
Reinforced by a ‘clear affirmative action’. Recipients must make a deliberate action to agree to consent. Opting in cannot be inferred by silence, pre-ticked boxes or inactivity.
In practice this means that prospects, customers and partners all need to physically confirm that they want to be contacted by an organisation (the data controller) and do this with an affirmative action.
A pre-ticked box that automatically opts them in is no longer an option.
How to collect it?
The easiest method is to ask customers and other individuals to tick an opt-in box to confirm they wish to receive marketing messages and specify the channels to be used, with separate opt-in for each (post, email, phone calls etc.). Variations such as icons, sliding buttons, a confirmation email or oral confirmation are ok so long as:
The recipient understands what they have consented to, without any important details hidden with ‘small print’.
Recipients can easily opt out in every communication
You have not broken the law in asking for their consent
Do I need to prove it?
It is the controllers responsibility to demonstrate valid consent. They need to document the date of consent, what has been consented to, the method of consent and who obtained it. These may be needed as records of evidence in the event of a complaint.
The right to be forgotten
What is it?
Individuals have the right to have their data ‘erased’ in certain specified situations – essentially where the processing does not satisfy the requirements of the GDPR
When does it apply?
When data is no longer necessary for the purpose for which it was collected or processed.
If the individual withdraws consent to processing (and if there is no other justification for processing). If processing children’s data there is an additional trigger related to consent previously given by a child w.r.t online service.
An objection to processing based on legitimate interests – if the controller cannot demonstrate that there are overriding legitimate grounds for the processing.
When data was otherwise unlawfully processed
If the data has to be erased to comply with Union or Member State law which applies to the controller.
How long do controllers have to comply?
Controllers must respond without undue delay (and in any event within one month, although this can be extended in difficult cases).
What if the data has been shared?
If the controller has made personal data public, and a request has been received to erase the data, they must also inform other controllers who are processing the data that the data subject has requested it be erased.
The obligation is to take reasonable steps and account must be taken of available technology and the cost of implementation.
However, this could potentially be extremely difficult to implement: e.g. if it is now public domain data
Exemptions
The obligation does not apply if processing is necessary:
for the exercise of the right of freedom of expression and information;
for compliance with a Union or Member State legal obligation;
for performance of a public interest task or exercise of official authority;
for public health reasons;
for archival, research or statistical purposes (if any relevant conditions for this type of processing are met); or
if required for the establishment, exercise or defence of legal claims.
LEGITIMATE INTEREST
What is it?
One of 6 lawful grounds for processing data under GDPR. This has helped many organisations breathe a sigh of relief as conditions are less stringent, but you must still consider the detail carefully.
When can I use it and what for?
The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
The existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
Note that Legitimate interests isn’t a lawful justification for processing special or sensitive categories of data or for processing carried out by public authorities.
Controllers that rely on “legitimate interests” should maintain a record of the assessment they have made, so that they can demonstrate that they have given proper consideration to the rights and freedoms of data subjects.
Data processed on the basis of legitimate interests is subject to a right to object – which can only be rejected where there are “compelling” reasons.
So what would be included?
The recitals give examples of processing that could be necessary for the legitimate interest of a data controller. These include:
Recital 47: processing for direct marketing purposes or preventing fraud; (This also states that controllers should consider the expectations of data subjects when assessing whether their legitimate interests are outweighed by the interests of data subjects. The interests and fundamental rights of data subjects “could in particular override” that of the controller where data subjects “do not reasonably expect further processing.”)
Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data (note international transfer requirements will still apply – (see section on transfers of personal data);
Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems; and
Recital 50: reporting possible criminal acts or threats to public security to a competent authority.
How is legitimate interest limited?
There must be “a relevant and appropriate relationship between the individual and controller”. This means you cannot use it to send marketing out to anyone you meet!
Legitimate interests can only be relied on when the organisation’s interests override the individuals’ interests. It is for the organisation to demonstrate that their interests override the fundamental rights and freedoms of the individual, and that they’re acting in line with the rest of the GDPR.
When relying on legitimate interests an individual is still entitled to object to the processing. That right to object must be “explicitly brought to the attention of the individual and shall be presented clearly and separately from any other information”.
Transparency in communication
You need to demonstrate reasonable expectation and so it is important that you ensure individuals are aware up front how you will use their data and are given the right to object (and if using it for retrospective processing on data collected under previous law, that they same processes were followed at that time).
You cannot therefore hide details re profiling and data use in a privacy policy or small print. On the other hand you cannot put everything out there and expect people to read it.
A layered notice is best where you provide a summary of how you will use the data, how long you will store it, any profiling and what they can expect from you (with a chance to object) and include links to more detail, for example in privacy policy.
You can’t put something important in the privacy notice which would be unexpected and then try to argue
that the individuals should have read it all!
A great example is this privacy policy from Microsoft with expandable sections and summarized content in an easy to read format.