Legitimating Your Data Processing Under GDPR
By now you must be familiar with the enforcement of EU General Data Protection Regulations (GDPR) and the fact that data processing now requires a valid consent. According to the guidelines, data subjects are now well within their rights to be erased. If a particular data subject submits a request with the party processing it’s data to take it down, the party is now legally obligated to do so. ICO (The UK supervisory authority) has set a deadline of 30 days for the parties to comply with such requests, failing which heavy fines will be levied on the said parties. However, consent is not the only way the data can be processed legally.
6 Ways to Legally Process Data
The first one, of course, is to collect consent from the said data subjects. While this particular method is the only one gaining most of the attraction across the internet, it is just one of the five. You only need to collect the consent of the data subjects if the rest of the methods are not attainable.
- Collect consent from the said data subjects
- Lawful purpose of the data controller to collect data.
- When the Data Controller has lawful obligations to abide by.
- When processing of data in question is in the vital interest of the subjects.
- When processing of data includes public interest.
- When there’s a legal contact requirement to process personal data.
Whereas most of these are limited to very specific scenarios, option 2 and 4 have a better chance to avoid the need for consent, which can sometimes be unattainable.
The ICO describes option 4 as the lawful method with the widest scope to avoid the need for consent. It is definitively a case where data processing is fairly acknowledged by the subject; have a minimum to no impact on the person’s rights and freedom, and there’s a persuasive ground for processing.
Moreover, marketing activities are reasoned legal under the compass of legitimate interests. Meaning, you don’t always need a consent from the data subject for marketing, be careful regarding other regulations like PECR though.
GDPR Legitimate Interests Assessments
LIAs are balancing tests which are conducted to justify the collection of data under legitimate interests. The local supervisory authority will view or review these during an investigation. In other words, it’s a risk assessment.
To conduct LIA, document the following:
Relation with the data subject- The data subjects in question are present in our client’s database whom we have entered into business with.
Is the data private and sensitive in nature?- We are just processing email addresses and names, which we do not believe to be sensitive in nature.
Would the data subjects be expecting their data to be processed?- It would likely be expected by data subjects as advertising to existing and possible clients is a common practice.
Is anyone likely to object this processing of data?- It is not likely to be considered invasive anyone objecting to this processing is provided an option to opt-out.
How will the processing affect the data subjects?- They will be receiving newsletters from our company on their email.
How large of an impact this might have on your data subjects?- Not a big impact in any way.
Do the data subjects include children?- All of our subjects are verified, adults.
Are any of the data subjects undefended?- None at all.
Have you adopted any safeguards regarding the impact on data subjects?- The only data being processed is a name and email address of the subjects. There should be no impact on the data subjects should the email be sent to a wrong person.
Will there be an option to opt-out?- Yes, an opt-out option will be included in the invitation email.
LIA test complete.
Consent is not the only way to lawfully and rightfully process data. However, if you cannot attain the other 5 possibilities, consent is the only option available from now on under EU General Data Protection Regulations.
Under GDPR, data subjects are considered supreme to the data processors. So the right to process and control private data is easily overrideable by the right to disagree.
In the end, if you keep your cards on the table; your actions justified and your documents in line, you will find that GDPR is not just a bulk of heavy fines. It will make your data processing much cleaner and ethical.