31 July 2017
Hopefully some of our previous blogs about GDPR, such as the ICO guidelines and practical implementation of GDPR, have been helpful. Having done a lot of research, as well as having conversations with business owners, there are a number of myths and bad ideas that are circling the General Data Protection Regulations. There is a lot of “You need this” or “we can just do this”, which we will address in this blog.
All of the information we provide is to our best understanding at the time of writing, however this blog does not offer legal advice. If you require advice on your specific business we recommend that you seek independent legal advice.
The important thing to remember is that GDPR is about two things, being lawful and protecting people’s rights. It might be difficult at times, but it is not unreasonable! Collecting and using people’s data requires you to do so under a lawful basis, consent is just one lawful basis. A good guide is to base operations on consent, and then make provisions where it does not apply.
The ISO discuss that a lawful basis is when you have a contract with the individual: “for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.”
If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests; this is referred to as legitimate interests.
Brexit is very unlikely to happen before the EU legislation comes into play, so there will be a transition period. Either way, it has been made clear by the ICO that the GDPR is coming into play irrespective of Brexit. GDPR addresses the requirements of data protection in relation to modern technologies and we require an update to the DPA in any event.
Many marketing companies are stating the requirement for a Double Opt-In method for GDPR; this would require a positive opt in, plus something like an email to that contact asking to click on a link to confirm that the email address is valid. This is very typical for something like an e-Commerce site where, on creating an account, you are required to confirm your email address. For companies who do not run a web store, this can be difficult to set up and people selling double opt-in solutions are trying to push this as a requirement.
However, having been through the ICO’s draft GDPR consent guidance document, I have seen no mention of double opt-in, only that people must positively opt-in. To clarify this point, I discussed this with the ICO and they stated that they are “not aware of the requirement at this time”, and that “Under the GDPR you will be aware that consent needs to be clear and require a positive 'opt in' action”.
When speaking to companies, a lot of the response to items such as Subject Access Requests is “we will charge them for the service”. However, as stated previously, the new regulations are all about the individual’s rights, and the ICO are quite clear that “In most cases you will not be able to charge for complying with a request.”
Many businesses rely on purchasing contact data to market to. The ICO state that one of the new key points is:
“Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.”
As you can see, the new regulations make it a lot more difficult to share data. As such, companies must take care that any data that they purchase satisfies the requirements.
In general, if you are trying to create a work around rather than a direct solution, then you probably aren’t allowed to do it that way. Even if you can, the final outcome tends to be that it would have been worth doing it properly in the first place. In general, it is worth making every effort to comply as soon as possible and in accordance with the guidelines.
To keep up to date with the latest news and releases on GDPR, please sign up to our newsletter:
Click here for our sign-up page