While, on the surface of it, the relatively simple act of gaining a data subjects consent should be enough to satisfy the requirements of the new GDPR (General Data Protection Regulation), it is only one option. In fact, there are several other legal basis available to those who collect and process personal data that falls under the remit of the new legislation.
Under the new regulation, there are certain criteria that must be met and it is evident that not every consent collection medium is taking all of these into account. The original EU produced working party document in section 29 concerning the “definition of consent” already runs to over 38 mind-numbing pages. This gives us at least some insight into exactly how complex the legal issues actually are.
According to EU insiders, one of the benefits afforded by the recent revamp of the European Data Protection Regulation is its ability to tighten up and clarify the whole otherwise precarious area of consent. In the following article, we aim to clarify exactly how the new remit interprets the legal definition of consent and why and how it differs from legal interest under the existing EU laws.
The bottom line is that under the new EU data protection regulation, there has to be some kind of lawful basis in place where a business is collecting, holding, and/or processing personal data. The remit of the law itself implies that at least one lawful basis must apply for the collection and use of the data to be considered legal.
Taken to its logical conclusion, the law, therefore, implies that the business collecting or controlling such personal data need to have a lawful basis for each and every operation that deals with the data.
Many businesses, especially those involved in eCommerce have operated automated “opt-in” systems for many years. However, some, if not most of these will no longer conform to the requirements of the new regulation.
Simple pre-ticked boxes on a webpage will not fulfil the demands of the new regulations for a number of reasons. Businesses and organisations that are considering continuing to collect personal data and comply with the new GDPR should consider the following outlines of the EU legislation.
While the legal basis for consent is seen by the GDPR as an overriding factor in how businesses proceed at the outset, the nuts and bolts of the process should reflect that.
The regulations give a further interpretation in the area of consent by defining what the data subjects are actually consenting to. They have narrowed this down to give their consent for a personal data processing activity for one or more specific purposes which, in turn, also need to be defined. This is then clarified under the rules with an explanation that such permissions are only legal where they can be shown to have been made in the full-informed knowledge of the purposes they are to be used for. Further, they must also be shown to have been freely given devoid of any ambiguity concerning that intended use.
In instances where such data is to be used for any other specific purpose or purposes, further consent must be gained that fulfils the same standard criteria.
For legal purposes (remember the need for at least one legal basis) the format of a contract is quoted in the regulations, as the data subject and the data controller/collector have in fact made a contract.
One area where an organisation may be able to claim an exception under the need for data subject consent is in the area of legitimate interest. The grounds for exercising such a precedent, however, are not as solid as an organisation may need to confidently pursue such a route.
There is a need to take the reasonable expectations of the data subject into account and these may be difficult to quantify in the event of a challenge to such a move. There are however certain criteria that the regulations recognise as constituting such a legitimate interest, and they are:
· Fraud prevention
· Direct marketing (should take into account existing ePrivacy Regulations)
· Administrative functions within an organisation (undertakings at a group level)
· When there is a need to ensure the security of information within a network
It almost passes without mentions that even under such circumstances as those above, there are limitations on how (or even whether) such data that falls under the scope of a legitimate interest can then be processed any further.
Despite fulfilling the prerequisites of the GDPR, there may, in fact, be occasions where consent is out of the question. Such circumstances may include how the use of the data obtained is likely to sudden unforeseen changes and obtaining permissions would be outside a feasible timeframe. In such cases, using other legal interest would be a smoother path to pursue. The bottom line, of course, is that businesses still need to ensure that they are in compliance.
In instances where a data subject withdraws their consent, there may have been legal precedents to continue processing and using their data. An in-depth review and “bullet proofing” of your businesses legal interests in such data could facilitate that.
In instances where there is no further recourse through that avenue, businesses could find themselves without consent to carry on such processing and that is likely to impact heavily on some operations.
Another issue with having consent of data subjects appertains to the increased control they then have over the data and the ramifications that they can have on your business. Apart from the time and resources that businesses will have to expend in dealing with data request on behalf of the data subjects, they could in effect be hampering your business operations.
Likewise, the ability of data subjects to withdraw their consent at any time means that the business has a duty under the new legislation to remove them from their records or run the risk of a financial penalty.
While both legal interest and consent are considered as a legal basis under the new GDPR, some aspects of your businesses choice are likely to hinge upon your relationships with your clients.
Understanding of the message that you are potentially sending out to them is crucial when making the choice. In the instance of a legal interest, your marketing actions could be perceived as saying “we will continue to bombard you with our sales material until you tell us otherwise”. In some cases, this could be placing your business into a negative perception where those customers are concerned.
Conversely, opt-in via consent sounds like “we respect your privacy, value your custom, and will only send you business information if you ask us to”. Some critics may further argue that the former is proactive while the latter could be seen as passive and not really effective as a marketing strategy.
Where a business or other organisation opts to go down the route of legal interest there are certain criteria that they would be wise to consider before making such a decision.
First and foremost, there does, of course, need to be a lawful basis to actually process the data concerned.
The hardworking experts within the EU have identified six such available lawful bases that can be utilised in data collection and their choice will be highly dependent upon the specifics of each unique business.
One of the prime requisites of these lawful bases is that they all require the business or organisation that adopts them to “prove” that the data processing is, in fact, necessary.
The lawful basis must be determined before any processing based upon its use is commenced and as such should be documented.
There are also specific criteria concerning special categories of data and those related to criminal convictions.
There is the possibility that a business or organisation could find itself in a position where it had a legal responsibility to continue processing the data of someone who has subsequently withdrawn their consent.
In such instances, they could find themselves caught between a rock and a hard place where on the one hand they carry on and breach data privacy laws. On the other hand, they cease and thus come into failing to obligate law through discontinuing the data processing.
Under the new GPDR, businesses are not only at liberty to refuse to conduct business with data subjects (clients) who refuse to give consent. If they continue to do business and use the subject’s data, they will, in fact, be breaking the law under the remit of the regulations by doing so.
Whether a business chooses consent for their data subjects or to do it through legal interest, there is no doubt that what suits one business may not necessarily suit another. A thorough review of how both options are likely to affect your business could probably be a best first move before diving in at the deep end. Criteria such as the type of business that you are operating and how it is structured are likely to be key decision-making factors.