GDPR is the new data protection legislation which comes into effect across the EU on 25 May 2018. Most of the recent discussion around this event centres on the potential downsides for organisations, including the much-touted maximum fines of 4% of global annual turnover or 20m Euros for non-compliance.
This series of blog posts takes a different view and looks at the benefits to be gained by businesses which approach GDPR as an opportunity to review their business processes and enhance their relationships with their most important customers.
In this post we look at the various legal bases for processing personal data and how these can affect the cost and benefits of retaining that data.
The available legal bases are:
- Consent: the data subject has given explicit consent
- Contract: you have (or are discussing entering into) a contract with the data subject
- Legal Obligation: you need the data to comply with a common law or statutory obligation (but not a contractual obligation)
- Vital interests: you need to process the personal data to protect someone’s life
- Public Task: mostly relevant to public authorities
- Legitimate Interests: you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing
For most small businesses Legal Obligation, Vital Interests and Public Task are unlikely to be relevant so we won’t discuss them further here. That leaves Contract, Consent and Legitimate Interests.
Contract is probably the simplest case: if you have an active contract, and the personal data is necessary to fulfill the contract, you can rely on this basis. You simply need to state this in your privacy notice. As you have an active contract, you probably don’t need to prioritise any new communication with these customers.
Consent is more complex as there are very specific requirements around the processes for gaining and revoking consent. It requires a positive opt-in (eg it is not acceptable to use pre-ticked boxes or any other method of default consent). It must be granular: separate consent for separate things. You must keep evidence of the consent: who, when, how, and what you told people (your privacy notice) at that time. You must also make it easy for people to withdraw consent and tell them how.
If your historic consent process did not meet all the requirements of GDPR, you will need to re-request consent from your customers. This may seem like a lot of work, but offers a great opportunity to get closer to your customers and put them in control. This is the subject of our next blog post.
If you choose to rely on Legitimate Interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
There are three elements to the legitimate interests basis. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
In our next blog post, we will look at the costs and benefits of the re-consent process.