Are you preparing to roll out new permission statements to collect personal data to a GDPR standard, but wondering what to do about your existing data? Can it be used compliantly come 25 May 2018? Do you need to update the permissions you have, or in some cases ditch the data completely?
Fear not, you are not alone. This is a dilemma facing many businesses and not-for-profit organisations.
The Information Commissioner’s Office has made it clear in its draft Guidance on Consent, “If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.”
Will there be some leeway post GDPR?
The answer is very unlikely. Earlier this year, the ICO’s Head of International Strategy & Intelligence, Steve Wood said, ‘Will there be a grace period? No. You will not hear talk of grace periods from people at the ICO. That’s not part of our regulatory strategy.’ However, how quick the Regulator will move to take action remains to be seen.
What WILL constitute GDPR compliant consent?
If you are relying on consent as the lawful basis for processing, you will need to assess what data you hold (and whether all, some or perhaps even none) meets the GDPR standard. If consent was “freely given, specific, informed and unambiguous” it will be okay. The ICO has said this means individuals will have actively opted-in, were given a genuine choice and that it was clear and specific what they were consenting to. And, not to forget most crucially that individuals are always provided with the opportunity to opt-out.
What will NOT constitute GDPR compliant consent?
If you have been vague about what individuals were consenting to and if consent covered a range of processing activities that weren’t clearly defined, the consent you have won’t be valid under the GDPR. Consent also should not be a pre-condition of a service and pre-ticked boxes are a completely no go under the GDPR. If you’ve used them in the past the consent you collected won’t be valid.
The requirement to provide proof of consent
Under the GDPR you are required to keep detailed records to clearly demonstrate you have collected consent compliantly. If you have records on your database where you cannot provide information on who was the Data Controller, when the consent was given and what you told people when you collected their personal data, you will be unable to prove you have their consent should a complaint arise.
How do you renew consent?
If you are considering a re-permissioning campaign via email be careful. It is wise to ensure you already have PECR level consent and are able to demonstrate this should complaints arise. If you don’t really know whether you have consent or not, when and how it was collected, an email campaign to renew consent may prove a risky approach.
The ICO has made it clear you can’t break an existing law in trying to comply with a new one (illustrated by the companies fined for doing so). For example, Honda sent an email to customers aimed at clarifying their marketing permissions. The company considered this to be a ‘service’ message not a marketing communication. The ICO disagreed and Honda couldn’t prove customers had agreed to receive such a message.
Safer alternatives, could be to include new permissions statements within postal communications, add permission pop ups for customers when visiting your website and/or to renew consent over the telephone with a GDPR compliant script.
St Leonards Hospice in York has taken a bold and creative approach with an eye-catching mail shot to all its customers. The letter explains the GDPR, how crucial it is for the charity to be able to communicate with them and asks them to actively opt-in. The move has undoubtedly given the hospice some great publicity.
Will data collected with a “soft opt-in” be okay?
If you have obtained customer email data using the soft opt-in exemption, this will still comply i.e. the following conditions have been adhered to:
• you obtained an individual’s personal data in the course of a sale or negotiations for a sale of a product or service;
• the communications you send are only marketing similar products or services; and
• the individual was provided with a simple opportunity to refuse marketing when their details were collected, and if they didn’t opt out at this point, they are given a simple way to do so in all future marketing communications
This exemption is available under the Privacy and Electronic Communications Regulations (PECR) governing electronic communications. A new EU ePrivacy Regulation is on the horizon, and although the original aim was to implement this in line with the GDPR this is now very unlikely. PECR will therefore sit alongside the GDPR. Drafts of the ePrivacy Regulation still contain this exemption, although its scope may be limited.
Is Consent the only way?
The ICO has been keen to stress that Consent is only one of six legal grounds for processing under the GDPR, and that where individuals can’t be given a clear genuine choice or where consent is inappropriate, organisations should consider using another basis, for example Legitimate Interests.
It may be the case that for some of your existing data that you might be able to rely on Legitimate Interests to continue to process it under the GDPR, but this approach needs careful consideration and should not be viewed as an easy alternative to consent.
You are required to undertake a proper assessment to clearly demonstrate you have balanced your legitimate interests with the rights and freedoms of individuals. People should also be informed if an organisation is relying on LI to process their data and must be given clear opportunities to opt-out.
A potential use of Legitimate Interests is for it to be used in conjunction with the PECR ‘soft opt-in’ exemption to allow continued processing i.e. Legitimate Interests is relied on to hold the data and soft opt-in used to send email marketing communications. Legitimate Interest may also be considered to profile existing data you hold.
The DPN has published Guidance on the use of Legitimate Interests under the GDPR, which includes a template for a Legitimate Interests Assessment (LIA).
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.