When General Data Protection Regulation (GDPR) comes into effect, it will require organisations to be more accountable and transparent.
Every rule in GDPR comes down to these two fundamental qualities. This, in a way, is good for organisations because it creates new responsibilities and opportunities.
We’re currently taking a very close look at the new regulations to create awareness among our valued customers – and organisations in general – and ensure that our own system is in line with the law. In doing so, we’ve noticed that there is a lot of misconception about the concept of lawful basis. Consent is getting the most airtime, but it’s not the only option – there are other possible ways to follow.
There can be many solutions to one problem. Many different roads may lead to the same destination. In a similar way, consent is not the only road that leads to GDPR compliance. Just because consent has been making the biggest headlines does not make it the only way to skin this particular cat. In fact, GDPR stipulates no less than six lawful bases for a data controller to process the data. However, the new regulation clearly mentions that you must choose a lawful basis to process the data, and there’s no getting around that.
The processing of personal data is defined as “obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data… it is difficult to think of anything an organisation might do with data that will not be processing.”
On the other hand, lawful basis is nothing but the justification you have for processing the data. At any point in time, you should be able to demonstrate the lawful basis underlying the processing of personal data in your organisation. The two most relevant lawful bases which we think most private organisations can make use of are consent and legitimate interest.
Under the lawful basis of consent, the data subject has given explicit permission for the processing of their personal data for one or more specific purposes.
Consent must be unambiguous, freely given, specific and informed. An important point to be noted is that consent can’t be bundled with all other terms and conditions. This means consent should be separate from other terms, not pre-ticked, and should also clearly inform the data subject on what they are consenting to.
It is necessary to have a serious look at how you have been collecting data until now. Most of the companies combine the consent in terms and conditions and pre-tick it. If you have been doing the same, then you can’t use consent as a lawful basis for all those data pools like existing clients.
The recital below clearly stipulates that if the consent you have been getting until now is not in line with GDPR standards, then it’s void consent and you can’t use the same consent from here on out. You need not re-request permission to process their data because the consent you have been getting until now is not valid anyway. Therefore, consent is not the most appropriate lawful basis when it comes to existing clients.
Recital 171 of the GDPR reads: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation.”
So, what’s the alternative? It’s none other than legitimate interest. You can use legitimate interest as the lawful basis for your existing clients, and that’s why you need not request your existing clients’ consent again. But when it comes to prospects and inactive clients, you need to take a different approach, because you need an existing relationship with the data subject to use legitimate interest.
There is a difference between prospects, clients and inactive clients. A prospect is someone who has provided you with contact details but hasn’t purchased your products or registered to use your services. A client is someone who has purchased or registered to use your services. An inactive client is someone who was a client, but no longer is one.
It is up to a company, depending on their nature of business and industry, to decide when a client becomes inactive. In our case, a client is considered inactive after 12 months from the date of their last purchase – because it can take several months to use the SMS credits we sold.
Legitimate interest refers to benefits that the data controller may gain from processing the data, but those benefits/interests should not override the basic rights of data subjects. Article six of the GDPR says that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where is a compelling justification for processing.”
So, if you choose legitimate interest as your lawful basis then you need you to consider the following three important elements: identification of a legitimate interest; demonstration that processing is necessary to achieve it; and deference to the individual’s interests, rights and freedoms.
The Data Protection Network has published a detailed explanation of legitimate interests and template for assessing legitimate interests.
Don’t be relaxed thinking you have found an alternative to consent – there is more to it. Just like you need a legal basis to process data (governed by GDPR), you need another legal basis to send electronic marketing communications (governed by Privacy and Electronic Communications Regulations, e-Privacy Directive 2002/58/EC).
While all the sources have been checked, it is important to seek legal advice related to GDPR compliance. This article does not constitute legal advice.