Friday, 11 May 2018

How-to: GDPR - legitimate interests vs. consent


Under the new GDPR regulations, you need to decide your 'basis for processing'; a reason why you are collecting and storing personal data. The GDPR makes a distinction between 'consent' and 'legitimate interests'.

Under the new regulations, there are six lawful basis for processing data:

  1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose; for example, they've signed up to your newsletter to receive email.
  2. Contract: the processing is necessary for a contract you have with the 3individual, or because they have asked you to take specific steps before entering into a contract. If a customer buys a ticket to a show, you can email them to let them know it has been cancelled.
  3. Legal obligation: the processing is necessary for you to comply with the law; for example, compiling airline passenger lists.
  4. Vital interests: the processing is necessary to protect someone's life; for example, medical history.
  5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law; for example, collecting local taxes.
  6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. This might be the justification for processing data that doesn't fall under the other five bases.
Cultural and sporting organisations will, for the most part, be using legitimate interests and consent.

Madness and the method

Your basis for data processing is also affected by your communications method.

Another set of regulations require compliance in addition to GDPR. PECR covers communications by email or SMS text. Telephone communications are included when calling is by automated dialler. It excludes direct mail by letter post and most telephone calls.

If you're working with email or text contact lists, legitimate interests is not a valid basis for processing of itself.

Email and text communications

Under PECR, personal data may be handled with implied consent, or 'soft opt-in' based on a prior relationship; for example, they approached you with an enquiry or initiated a purchase, therefore you may communicate with them on the basis that they showed and interest in what you offer. However PECR is now subordinate to GDPR.

Consent under GDPR must be clear, use a positive opt-in - no pre-ticked default boxes - and include and easy method to 'opt-out' at any time. Following posts will look at consents and check-lists.

The ICO's guidance on PECR states:
You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the 'soft opt-in'.

Soft opt-in

If your organisation sells tickets, then soft-opt retains a limited use. Soft opt-in can be used when a customer has bought a service or product from you, or was part-way through sale (a pricing enquiry or abandoned shopping cart). GDPR requires you give them to means to opt-out of personal data storage at the point of original data capture. You must also give them the option to opt-out each time you send them an email after this. Most email platforms such as Mailchimp or Survey Monkey automatically include an unsubscribe link in the email footer.

Organisations and companies

If you are emailing a non-personal email address without a name, such as info@ or admin@, then you do not require consent as these are considered open and public addresses for general communications. Named individuals at the same email domain requires consent. So for marketing and promotions,  admin@somedomain.net requires no consent; johnsmith@somedomain.net requires explicit consent.

However, if johnsmith@somedomain.net was used to book a party onto a training course, as in, they approached you as a customer, you still have the soft opt-in to send marketing messages to the named contact, as long as you include an 'opt-out' or unsubscribe link in each subsequent email you send them.

The official guidance from the ICO states:
You can send marketing emails or texts to companies. However, it is good practice to keep a 'do not email or text' list of any companies that object.
It is complex and there are decision-tree type flow charts to work though to determine what you are allowed to do.

Our simplified view* is:
  • did the person initiate contact with you with a legitimate enquiry or purchase? If so, soft opt-in remains valid, but you must enable them to opt out every time you contact them thereafter
  • in any other case, GDPR requires consent.

Post and Telephone Marketing

For post and telephone marketing not through an auto-dialler, GDPR applies, but you must identify legitimate interests or consent as your basis for data processing.

The ICO's definition of 'legitimate interests':
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.
Legitimate interests is not a license to spam; the privacy interests of the person whose data you are processing take precedence. Communications must pass a 'reasonable-ness' test of legitimacy.

Sending a brochure for future arts or sports events to current and past members, ticket-holders or buyers is a legitimate communication (as long as there is a clear opt-out method for subsequent communications).

Selling your list to a third party insurance agent, glazing company, window cleaner, warranty provider or no-win-no-fee claims firm is NOT under GDPR as none of those are reasonably expected in connection with the original interest.

The GDPR outlines is a clear procedure for deciding what data processing you can cover under legitimate interests - a Legitimate Interests Assessment (LIA).

The ICO defines three stages:
  • Purpose test: are you pursuing a legitimate interest?
  • Necessity test: is the processing necessary for that purpose?
  • Balancing test: do the individual's interests override the legitimate interest?
Consent will always override legitimate interests if your data processing has the potential to harm the individual (that is, may be prejudicial to someone's health or livelihood in the wrong hands), or you're working with children's data.

These assessments need to be recorded and stored as evidence to back your basis for using legitimate interests.

Which is 'better'? Consent or Legitimate Interests?

Asking this question means you haven't understood the principles of consent and legitimate interests under GDPR.

The question is not 'better' but 'appropriate'.

Where legitimate interests is valid and appropriate to use in your organisation, you can communicate freely using the personal data you already capture. However, if there is doubt, then avoiding the penalties liable under GDPR should always steer you to obtain consent.

The PECR guidelines still apply for communications via email or text.

The ICO recommend that consent be 'granular' as opposed to the 'all or nothing' approach in use up til now; that is, contacts should choose to consent to which channels of communication (and ideally on what frequency!).

Following posts will looks at the specifics of obtaining consent under the  GDPR. RC

References

For further guidance, see the ICO's guide to legitimate interests.
For a definitive guide, see the Information Commissioner's Office website

*Materials posted on this site are intended to provide an overview of GDPR, are in no way a definitive statement of the law and should not be construed as legal advice; if in doubt, consult a qualified legal practitioner.

Image credit: Framework for Consent Policies by Willowbl00 CC BY-SA 4.0, from Wikimedia Commons

No comments:

Post a Comment

At least try to be nice, it won't kill you...