GDPR - why do we have that personal data?
In the second of our series of blog posts about the upcoming European wide GDPR (General Data Protection Regulation) we'll be considering what "consent" means and looking at what the other possible lawful bases are.
What is "consent"?
That's a good question when it comes to data protection - if you ask a few people you'll likely get a few different answers.
The GDPR sets a new higher bar for what consent means, it aims to give individuals a real, genuine and granular choice of whether they want to be contacted, and how, which - on the whole - I think is good thing; we all get a bit tired of being bombarded by email, junk mail, phone calls (although under the existing data protection act we should have been better protected than we actually were).
This new affirmative consent does pose some problems to lots of companies, you've spent years building up contacts and a mailing list, and now the EU is saying that if you didn't comply with regulation which didn't exist at the time you'll need to ask for consent again. For some companies that will be a bitter pill to swallow, and it's more than likely that some companies will just to ignore the regulation and take their chances (that's almost certainly a bad idea). For some companies maybe this is the bit of arm twisting needed to get things in order, have a data spring clean and focus on staying in touch with the people who value it most. We've got a bit more on that in our GDPR vs Marketing blog.
Here are a few key things to know with consent - there are lots, so we haven't covered them all:
- Where the individual gives consent, be it online, on the telelphone or a paper form, it needs to be clear exactly what they are consenting to, if necessary allow granular consent, for example if you want to contact the individual by email and SMS, they should be separate options.
- Make sure the consent is a positive opt-in, don't use pre-ticked boxes, and don't making opting-in to peripheral communications part of the terms and conditions.
- Record the opt-in 'evidence', when and how the individual opted-in, and what they agreed to at the time.
- Make it easy for inidividuals to withdraw consent, make it clear how they do that and what happens when they do.
- Employers asking employees for consent might be a grey area, or at least you probably need a more robust process in place than you'd use for other individuals.
What are the other lawful bases for processing data
For most companies, or at least the marketing part of that company, consent is probably the biggest single lawful basis. There are a few others though, depending on what your business is they might be more or less relevant to you.
Legitimate interest is probably the most complex of the lawful bases for processing data, but also one of the most flexible allowing some direct contact with individuals who haven't consented to being contacted. However, I'm not going to offer advice on using this lawful basis here because it will be different for everyone and needs to be used carefully. If you want to get your hands dirty the guidance from the ICO is here:
For most businesses this is legal basis we hold our customers data, for accounting and to allow us to provide them with a product or service. Nothing much has changed here with GDPR, the regulation is very much the same as it was under the Data Protection Act 1998.
For most companies this will cover things like keep employee records as it's required to comply and disclose information to HMRC. It does also cover things like court orders to supply data in some circumstances. As with the contract basis for processing, nothing much has changed here, it's very similar to what was set out in the DPA 1998.
Vital interest as a lawful basis for processing is something most businesses will never need. It's something that's used in very special circumstances, where personal data normally protected can be made available to third parties. For example if an individual is in a car accident, their own doctor may choose to share records with a hospital without the individual's consent. The main change to the regulation here is that under DPA 1998 data could be released about individual X in the vital interest of individual X - as with the car accident/hospital example. With the new regulation this is expanded to allow data to be released about other individuals too, so data about individual Z could be released in the vital interest of individual X.
This lawful basis can apply to any public body, or any company/organisation that provides a public service, so could cover energy and water suppliers amongst others. I'm not going to cover this in too much detail - hopefully any organisation like that already has their own team looking at the new regulation!
What we're doing at See Green:
We've taken this opportunity to review the data we hold which is consented, and where appropriate we're re-establishing that consent. On our own website we've changed our email newsletter sign-up to make it much clearer what the individual is signing up for, we've added a confirmed opt-in process too.
As part of a bigger review of the data we hold we've looked at retention periods and the basis we hold each data set to make sure we have everything in order. Look out for our blog about data cleansing and retention coming soon.
Five top things 'to do'
- Get to grips with what data you hold - it might be helpful to organise and categorise data to get a clearer picture why you have it
- Know your lawful basis for having the data you do, and don't forget it might be different for different pieces of data
- If you change what you do with the data you have, you need to review if your lawful basis for having the data is still valid
- If you use online systems (CRM, Mailing list etc) to manage personal data make sure you know where it is stored, who has access and how it's protected
- Get help if you need it
If data management boggles your mind, get in touch with us on 01904 500500.