By Simon Clayton, chief ideas officer, RefTech
Since GDPR first hit the headlines there has been an awful lot of scaremongering and/or misunderstanding over the ‘consent’ part of the regulations. Many ‘experts’ claimed that a company needed specific consent from the individual for them to use their personal data but this simply isn’t true and I think it’s a lack of understanding of the full text of the regulations that is the problem here.
Article 6 of the GDPR Act clearly states that there are six different lawful reasons for processing personal data and they are all equally valid. There is no hierarchy i.e. one is not better or ‘more legally binding’ than the others. One of those reasons is that you have the data subject’s ‘consent’ but the ICO says that you shouldn’t use consent if you have another legal reason for processing the personal data.
“One of the reasons for holding and processing personal data is for the legitimate interests of the data controller as long as those interests don’t override the rights and freedoms of the data subject.” In order to find out if the rights and freedoms of the data subject are impacted you should conduct a “balancing test” and in simple cases of direct marketing, the balancing test can normally be satisfied by giving the individual the right to opt-out or unsubscribe from direct marketing.
Recital 47 of GDPR goes further and says that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest” but this again is only as long as the rights and freedoms of the data subject aren’t outweighed.
To summarise that – if you have a legitimate business reason for storing personal data then you don’t actually need a person’s explicit consent.
This means that if you are holding a person’s data because they attended ‘A Conference 2017’ then it is reasonable to safely and securely store their data and contact them to ask if they would like to attend ‘A Conference 2018’ because it’s a reasonable assumption that if they attended last year’s event then they may well be interested in attending this year’s event too.
Be careful not try to stretch it too far – you probably shouldn’t assume that they would also like to attend other completely unrelated events that just happen to be organised by you, or subscribe to a related magazine or other service you offer. You can take one small leap in your assumptions – from last year’s event to this year’s – but a second leap to an unrelated product may be a leap too far. If you still aren’t sure you should take the ‘expected’ test – would the data subject reasonably expect to be invited to this year’s event? If you can morally and ethically say yes (and not because you’ve abused their data in the past), and the subject has the opportunity to opt out of the communication, then you should be fine.
A good solution for other events would be to use legitimate interests for the next year’s show and have a consent tick box for “Other events that we organise that you might be interested in”. An important point here though is that any consent tick boxes must never be checked by default and you must record exactly what the wording was at the point that the data subject agreed to it. You need to be able to prove that they consented otherwise the consent is not valid.
A really important point here is that you should always document the decisions that you are making relating to this stuff because it’s a bit like your maths homework; even if you actually get the answer wrong, if you can show your reasoning and show that you thought about the legitimate interest and the data subject’s rights then you should be fine. The ICO want us all to be more responsible and think ethically about how we all use personal data.
We will be explaining the other legal reasons for storing and using data in our next blog to be published in January.