GDPR countdown 6 - six degrees of separation from the truth about consent?

David Reed, knowledge and strategy director, DataIQ

When it comes to interpretations of the new data protection law, it can sometimes seem that truth has very little to do with what is being said. Search on the subject and the top result comes from a compliance vendor whose own privacy policy, most recently updated in August last year, says it processes personal information “for the purpose of trading in personal information”, then states “we will not share your data with third parties.”

Anybody hoping for practical, clear guidance could be forgiven for wondering how an apparently sensible law could be generating so much confusion and conflict. Some lawyers and in-house counsel have been telling their clients that consent is the only legal basis for data processing. And some commentators have even claimed that it will only be possible to tweet about celebrities if you have their consent. But don’t sell your shares in Twitter just yet - that view is a long way from the truth.

So thick and fast have these ill-informed insights become that last year the Information Commissioner’s Office created a “myth-busting” blog that tackled eight of the main areas of misunderstanding. It is a point that was made strongly by Mark Watts, partner in law firm Bristows, at a recent DataIQ GDPR Impact event. “As a result of growing awareness of GDPR, you get myths and misunderstandings,” he said.

Watts went on to outline three of these, leading off with the idea that consent is the main basis for data processing. “Without question, GDPR has consequences for consent, but people have got confused with the idea that it is always needed. The key question is, do you have a lawful basis for data processing? Consent is one of the six which are allowed and it is not always the best option,” said Watts.

Legitimate interest exists as a basis on which organisations can process personal data

It is easy to understand how many data practitioners, especially those in the marketing arena, might have gained this idea. After all, the requirements of the Privacy and Electronic Communications Regulation (PECR), which is currently being reviewed as the ePrivacy Regulation, put opt-in at the heart of using email, text and phone for marketing communications.

 As Watts pointed out, this has become blurred with GDPR because of the way the Regulation now defines many digital pieces of data, such as location or device ID, as personal information. 

Crucially, however, legitimate interest exists as a basis on which organisations, including their marketing functions, can process this data if it falls within the bounds of the purpose for which it was first collected. They also need to carry out a balancing test between the needs of the business and the rights of the individual - if there is more benefit than harm, then LI is likely to be applicable.

“Consent may be solving a problem that doesn’t exist.”

But Peter Galdies, director of DQM GRC, says many organisations are needlessly constraining their data processing opportunities by adopting consent as the legal basis. “Consent is a very positive affirmation by a data subject that you can process their personal information, which is why it has a strong appeal to certain legal minds. But for many use cases where the processing you wish to undertake might realistically be expected by the data subject, it may be solving a problem that doesn’t exist – simply put, it might not be the most appropriate basis for processing”

By contrast, legitimate interest provides an equally strong legal basis which many organisations should find they can claim. Galdies notes that, if adopting legitimate interest, it is important to remember to undertake a balancing exercise for the processing which should attempt to weigh up the importance of the processing to you with the risk of damage to the rights of individuals. (The ICO and Data Protection Network have both produced guidance on how to undertake this.) 

Perhaps the most honest way to think about LI is to put yourself in the mind of the data subject and ask yourself “could I really have anticipated and expected this processing? Is it reasonable and proportional to my relationship with the organisation?  If you cannot honestly say “yes” to either of those questions, then you may find LI a hard balance to strike.

It shouldn’t need saying that as big a decision as the legal basis for your data processing should not be informed by rogue tweets. But when some legal advice continues to suggest that consent is the best (or only) option, it is time to get worried. There are six legal bases available under GDPR and separating out which is the true path for your each of your organisation’s personal data processing requirements is critical.Related articles:

GDPR countdown 1 - changing the balance of favour

GDPR countdown 2 - a river that runs deep, so make sure your compliance isn’t shallow

GDPR countdown 3 - this time it doesn't have to be personal

GDPR countdown 4 - why training staff, not deploying IT should be your next best action

GDPR countdown 5 - why the data role you need is a protection officer, not a scientist

 

DQM GRC

This article is the sixth in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit dqmgrc.com

Knowledge and strategy director, DataIQ
David is developing the framework for soft skills and career development among data and analytics practitioners. He continues to be editor-in-chief and research director for DataIQ.