What would you rather wear - a bespoke suit or a strait-jacket? It might seem like an obvious choice since everybody aspires to have something tailor-made which fits perfectly. Yet the consequences are not always what might be expected. Put on a few pounds and that Savile Row sleekness can feel like a Bedlam bed jacket.
When it comes to choosing the basis on which your organisation will process personal data under GDPR, similar choices and outcomes are possible. What looks like the right option now could end up leaving you looking like a lunatic in six months’ time.
Nowhere is this risk more evident than around deciding to adopt consent as your lawful basis. It has been a notable feature across the four DataIQ GDPR Impact events that the representatives of many organisations in the audience have been advised that consent is the only way forward. By sharp contrast, four different lawyers presenting in the series strongly urged a close look at legitimate interest.
Many people are confusing PECR with GDPR.
One reason for this disparity is the depth of knowledge which data protection lawyers have about practice and precedent compared to the general counsel which is often being relied on in-house. But there is another reason which has been the cause of great confusion - mistaking the requirements of GDPR for those of the Privacy and Electronic Communications Regulations.
Right now, inboxes are filling up with messages stating that the law has changed and customers need to update their preferences about what emails they would like to receive. Yet PECR has not yet been revised (an update to the ePrivacy Regulation is in train, but a long way from ready) and for many who are already operating under legitimate interest to communicate with their customers, no such repermissioning is actually required.
Where GDPR comes into play is around any personalisation or profiling of those messages based on the processing of personal data. While PECR is specifically about communications channels, GDPR focuses on the purposes for which data will be processed. Since many organisations have been less than transparent about the ways in which the personal data they hold will be used, they are now rushing towards consent as their only valid basis.
However, this is a highly-risky strategy for two reasons - firstly, winning consent is never easy, which is why many marketers have historically used covert methods (like pre-ticked boxes or implied consent); secondly, because GDPR sets a very high bar and places significant constraints on how consent operates.
“Controllers cannot swap from consent to other lawful bases.”
Critically, you cannot simply swap jackets as it suits you. The recent guidance issued by the Article 29 Working Party makes this clear: “It is important to note here that if a controller chooses to rely on consent for any part of the processing, they must be prepared to respect that choice and stop that part of the processing if an individual withdraws consent. Sending out the message that data will be processed on the basis of consent, while actually some other lawful basis is relied on, would be fundamentally unfair to individuals. In other words, the controller cannot swap from consent to other lawful bases.”
So what view does the consumer have on this? In the DataIQ GDPR Impact Readiness report, one finding makes it clear - 54.7% say they will agree to processing just for one activity. While potentially ambiguous as a question, the finding makes it clear that consumers want to constrain the extent to which their data is being used. In the past, they have felt a loss of control from the moment they hand over personal information, unsure just where it goes and how much it will be used (and rightly so, in many cases). Now, they want to set a boundary.
“Consent can be like going all-in on your hand in poker.”
If that one activity is defined and permissioned on the basis of consent, then an organisation is choosing to put on a straight-jacket. No additional uses will be lawful and should an individual withdraw their consent, all processing of their data for that original purpose has to stop.
As Peter Galdies, director of DQM GDPR, states: “Consent can be like going all-in on your hand in poker. It might give you a big win, or it could leave you broke and out of the game. While it might look like best practice because it seems transparent and ethical, it might not always be in the best interest of either the company or its customers.”
He believes the confusion between channel consent which PECR demands and the new range of lawful bases for data processing under GDPR is leading marketers especially to default to consent.
“Looking at their data, they see an existing consent to email and decide to refresh it for all purposes. That’s probably because existing customers are assumed to be ‘warm’ and therefore likely to give their consent and a simple consent is actually easy to enact,” says Galdies.
He adds: "In reality, there are many purposes for which organisations could be reasonably expected to process data to the benefit of both the customer and the data subject. If you can justify this, then using legitimate interest and allowing for an objection - or ‘opt-out’ - ishould be considered. Otherwise, consent could be the decision that makes you look less like a brilliant Mad Men-style strategist and more like simple madness.”
This article is the seventh in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit dqmgrc.com.