The European Union’s wide ranging new data protection rules, the General Data Protection Regulation is coming. It is currently being passed into national law by the EU’s 28 member state governments and comes into force on 25th May.
One of the biggest impacts of GDPR on businesses is the changes to the legal reasons for gathering, storing, processing and using personal data. Most significantly for businesses, the principle of consent, which most firms rely on for marketing contact lists, is radically overhauled.
Article 6 of GDPR lists the so-called lawful bases for using data, to be legally allowed to handle or store data you will need to identify the lawful basis that allows you to do so.
Types of ‘Lawful Basis’:
There are six categories of legal basis:
Consent – The individual agrees to you processing their data. This basis has changed the most and we will look at it in more detail below.
Contract – You need to hold the data to meet a contractual obligation to the individual. For example, in order to pay an employee you will need to store and use their bank details.
Legal Obligation – A law requires you to hold the data – for example employees’ proof of right to work.
Vital Interests – Mainly for the medical profession, you need to process the data to assist in saving their life. However, if the person is capable of giving consent you must get consent.
Public Task – You need the data to carry out a task either as or on behalf of a public body.
Legitimate interests – The most flexible basis. These can be commercial interests, individual interests or societal interests, but must be balanced against the individual’s rights.
Further rules apply to two categories of data:
Special Category Data – This covers types of data that could expose somebody to discrimination, e.g. their sexual orientation or disability status. As well as having a lawful basis you must meet additional requirements listed in Article 9.
Criminal Offence Data – Data about criminal offences can only be processed by those working for or on behalf of a public authority. As well as a lawful basis (usually ‘public task’) you must meet the requirements of Article 10.
What’s new in the consent requirements?
Under the existing data protection rules, consent has been a backbone of business use of data. Tucked away in the terms and conditions of using a service or assumed with a hard to spot opt-out box, consent has allowed firms to populate their marketing contact lists, for their own use or for sale to “trusted partners”.
Under GDPR, an individual’s consent is still a lawful basis for processing data, but the scope is limited and requirements demanding. “The GDPR sets a high standard for consent,” Britain’s Information Commissioner’s Office (ICO) warns, noting that another lawful basis might suit your needs better.
For marketing purposes such as sales emails however, consent remains the most likely basis for processing data.
So what is the high standard?
Consent is explicit. You can’t make consent a condition of using a service, or include a presumption of consent in your terms and conditions. The individual must take a specific action to give consent.
Consent is a positive opt-in. No more pre-ticked boxes for consent. The individual must positively give consent, rather than simply failing to withdraw it.
Consent is ‘granular’. You need to get separate consent for separate uses of data.
Consent is specific, clear and concise. When asking for consent be clear what data you will hold and what you will use it for. You must identify and third parties used in the process – where they might handle, process or transfer data.
Consent can be withdrawn. You need to be clear about how the individual can withdraw their consent. It must be easy for them to do so.
Once you have secured consent you need to record it. The record should be thorough. Records should show who has consented how they opted-in, what purpose they consented to their data being processed for, and the wording of the consent request. This record will, of course, count as personal data, which you will hold under the ‘legal obligation’ basis. If the way you process data, or the purpose you process it for, changes, you will need to explain this to the individual and get consent again.
To Sum Up
In short the changes to consent requirements mean that it is no longer the catch-all reason for holding data. In many circumstances another legal basis will be better. For example, existing customer records. You would be better to class these as coming under the ‘contract’ basis, as you need to have this data to fulfil contractual obligations to the client.
Once again some of the best advice we can give you is to check out the ICO website, where you can find detailed information on the requirements for each lawful basis, as well as checklists to help you obtain and manage consent.
Leave Wizard Ltd is committed to using your data in accordance with these new regulations, but if you have any questions, please don’t hesitate to contact us on firstname.lastname@example.org