GDPR: Are You Focussing Too Much On Consent?
The GDPR deadline is looming. It’s the most significant overhaul in data protection in a generation and should be something hot on your agenda.
In our recent article, What is GDPR and how will it affect professional services firms? we listed a number of steps recommended by the ICO that would assist you in crafting your GDPR compliance strategy.
Any Google search for GDPR will bring up a huge amount of information, with one step in particular stealing most of the limelight… consent. Consent remains one of the six lawful bases to process personal data and by being a data controller, you must ensure that consent is appropriate.
Article 4 of the GDPR defines consent as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Gaining consent should be carefully requested. The definition ‘freely given’ and ‘specific’ can be widely interpreted, so be sure to check this page here which gives handy tips on how to ask for consent.
Many firms seem to be relying on consent as part of their compliance strategy for all the contacts they hold on their CRM system. But is this going overboard? And what are the other options?
The ICO stresses the importance of being aware of the other lawful bases for processing data. Your decision for each processing activity will depend on your purpose and relationship with an individual and you should document this.
Other lawful bases for processing data include:
Contracts: You can rely on this lawful basis if you need to process someone’s personal data:
- to fulfil your contractual obligations to them; or
- because they have asked you to do something before entering into a contract (eg provide a quote).
Legal obligation: You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation
Vital interests: You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life
Public task: You can rely on this lawful basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law
Legitimate interests: This is the most flexible lawful basis for processing. It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Reviewing your data processing is one step of many that should form part of your GDPR preparation. Do take the time to choose the best data processing method for each activity relating to your company and document this to help you demonstrate compliance.