GDPR: a matter of consent

Since GDPR first hit the headlines there has been an awful lot of scaremongering and/or misunderstanding over the ‘consent’ part of the regulations. Many ‘experts’ claimed that a company needed specific consent from the individual for them to use their personal data but this simply isn’t true and I think it’s a lack of understanding of the full text of the regulations that is the problem here.

Read more: An introduction to GDPR

Article 6 of the GDPR Act clearly states that there are six different lawful reasons for processing personal data and they are all equally valid. There is no hierarchy i.e. one is not better or ‘more legally binding’ than the others. One of those reasons is that you have the data subject’s ‘consent’ but the ICO says that you shouldn’t use consent if you have another legal reason for processing the personal data.

“One of the reasons for holding and processing personal data is for the legitimate interests of the data controller as long as those interests don’t override the rights and freedoms of the data subject.” In order to find out if the rights and freedoms of the data subject are impacted you should conduct a “balancing test” and in simple cases of direct marketing, the balancing test can normally be satisfied by giving the individual the right to opt-out or unsubscribe from direct marketing.

Recital 47 of GDPR goes further and says that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” but this again is only as long as the rights and freedoms of the data subject aren’t outweighed. To summarise that - if you have a legitimate business reason for storing personal data then you don’t actually need a person’s explicit consent.

This means that if you are holding a person’s data because they attended ‘A Conference 2017’ then it is reasonable to safely and securely store their data and contact them to ask if they would like to attend ‘A Conference 2018’ because it’s a reasonable assumption that if they attended last year’s event then they may well be interested in attending this year’s event too. Be careful not try to stretch it too far – you probably shouldn’t assume that they would also like to attend other completely unrelated events that just happen to be organised by you, or subscribe to a related magazine or other service you offer. You can take one small leap in your assumptions – from last year’s event to this year’s – but a second leap to an unrelated product may be a leap too far.

If you still aren’t sure you should take the ‘expected’ test – would the data subject reasonably expect to be invited to this year’s event? If you can morally and ethically say yes (and not because you’ve abused their data in the past), and the subject has the opportunity to opt out of the communication, then you should be fine. A good solution for other events would be to use legitimate interests for the next year’s show and have a consent tick box for “Other events that we organise that you might be interested in”.

An important point here though is that any consent tick boxes must never be checked by default and you must record exactly what the wording was at the point that the data subject agreed to it. You need to be able to prove that they consented otherwise the consent is not valid. A really important point here is that you should always document the decisions that you are making relating to this stuff because it’s a bit like your maths homework; even if you actually get the answer wrong, if you can show your reasoning and show that you thought about the legitimate interest and the data subject’s rights then you should be fine.

The ICO want us all to be more responsible and think ethically about how we all use personal data. We will be explaining the other legal reasons for storing and using data in our next blog to be published in January.

Lies, damn lies and GDPR

By Simon Clayton, chief ideas officers and GDPR practitioner, RefTech 

Are you fed up of reading conflicting information about GDPR? Are you receiving a deluge of emails from companies proclaiming that unless you sign up and give consent then you will never hear from them again and then you will miss out on their offers / newsletter etc.? At last count I’ve received 40 of these emails, many from companies who have never even contacted me before, perhaps thinking that this is their last opportunity to contact me, even though they haven’t felt the need to previously. On one hand it’s very annoying, but on the other, it’s very interesting to see the number of companies who actually have my data.

The majority of these companies probably don’t have to contact their entire database. But they are doing it under the guidance of some self proclaimed ‘expert’ who is telling them that they have to have explicit consent to be able to store a person’s data (you don’t – ‘consent’ is only one of the six lawful reasons to store data).  

Even the BBC got it wrong; an incorrect news item sat on their website for three days until they corrected it. They only corrected it because I (and presumably others) complained to them and pointed out their error; they said that having consent was the only way a company could store and process a person’s data.

A myth has to be strong for the BBC to fall for it and this myth seems to have perpetuated itself into fact, which means I am getting totally fed up pointing this fallacy out to other people. I’ve even had to step away from a GDPR Facebook group I belonged to after several heated discussions with people who simply didn’t believe me because they had heard ‘facts’ to the contrary. The final straw was a heated discussion with a woman who runs a club who told me in no uncertain terms that under GDPR she has to contact all her members and ask them for permission to continue to store their data.

Think about it; this is a club that people sign up to voluntarily and pay to join, whose member benefits include a newsletter and other contact from the club. The very nature of joining a club is that you want them to have your details, and you expect to hear from them so that you can get involved. The club’s secretary actually thinks that they have to get explicit permission from each member to be able to just fulfil the benefits of the membership. I asked her what they would do if someone joins but withholds consent (as they must be able to do if you’re using consent as your legal basis for processing data) but she couldn’t answer that one!

Think how ludicrous that sounds? It’s utter madness to think this and it’s not what GDPR states at all. You don’t need consent if you have a ‘legitimate interest’ to store a person’s data – which means that it is quite reasonable for you to continue to store your members’ data because it’s a legitimate part of their membership.

GDPR is actually a reasonable piece of legislation, designed to protect the individual. It’s not out to confuse or over complicate business, but to make us all think about what data we collect and to use it responsibly. It is a little rough around the edges and some parts need further clarification and examples, but its heart is in the right place.

Stop listening to the experts, read the ICO’s guidelines yourself and if something seems silly, then it’s probably is and not actually part of GDPR at all.