DMA Europa Group

GDPR Part 2 – Can I keep my data, how can I use my data, and how do I collect data now?

 

 

To understand the basics of the GDPR, view part 1.

With the scary prospect of the GDPR’s increased fines, it’s driving some companies to delete their entire database of personal data. But while the fines can be a bit terrifying, the changes in the GDPR do not call for such drastic measures. If you were using your data legally before, it’s possible that you can still use most of it, if not all of it.

There’s no special rule that distinguishes data obtained before the GDPR from data obtained after the GDPR. It’s simply a case of if the data is used compliant to the GDPR or not.

The key requirements to processing data under the GDPR is to have a lawful basis for processing the data for each and every activity and purpose you process it for. For many of these bases you’ll then need to show that the processing of data is ‘necessary’ for that purpose and that you’ve documented reasons for that choice.

How do I decide what lawful basis to use?

There are six lawful bases for processing data. You only need to have one of them but it’s in your best interest to select the best option for your purpose. These bases are:

Certain ‘special category’ data and criminal offence data have their own conditions for use.

You should only select one of the above, even if there are 2 potential bases to use and there is no purpose that is ‘better’ than the others, it will all depend on the specific activities. Perhaps a good structure to normally use would be:

  1. Analyse all the legal bases
  2. Compare these with each purpose you process data for independently
  3. Find which ones could apply
  4. Assess which one is the best fit for each purpose
  5. Document all these stages and decisions

For most of our clients, ordinarily consent, contract, and legitimate interests will be the best possible options.

Consent

The GDPR raises the bar on the standards for consent to such an extent where it may be preferable to choose another legal basis. The consent must be real and genuine so good practice for getting consent includes:

  • Making sure they have a real choice and not making consent a requirement to receive the service
  • Making a positive opt-in. No pre-ticked boxes and no “by clicking continue you agree”
  • A clear and specific statement demonstrating what they are consenting to and for what purpose this is for. This should be in simple language, separate from any other terms and conditions and, if possible, each processing purpose should be separate from each other
  • Naming any third-party controllers.

Additionally, it should be as easy to retract consent as it is to give it. This would involve letting the data subject know how to do this when they first consent, making it easy to find instructions on how to do this and giving them the option every time they see the outcome of their data being processed (e.g. unsubscribe on an email)

Contract

Little of this legal basis has changed with GDPR. The basic principle is if you need to process a data subject’s data in order to fulfil a contract or at their request in order to prepare for a contract (e.g. a quote) then you’re free to do so long as it is ‘necessary’.

‘Necessary’ does not mean it is essential. It merely means it is the most appropriate way. If there is way to carry out your contractual obligations that is reasonable and does not intrude on someone’s privacy as much, then it is not ‘necessary’. Your processing must meet this requirement of ‘necessary’ for the purpose of the contract, if it’s used to also support your business model (e.g. recommend related products) it will not fall within this basis.

Legitimate Interests

Legitimate intertest it the most flexible lawful basis for data processing and therefore makes it the most useful. However, that doesn’t mean it’s the most appropriate.  With this greater ‘power’ comes greater responsibility.

There are 3 parts to this basis.

  • The purpose test: is the interest legitimate?
  • The necessity test: is the processing ‘necessary’ for that purpose?
  • The balancing test: is the purpose overridden by an individual’s interest?

The purpose test is quite open. Essentially, the processing must be in someone’s interest whether it’s your own, a 3rd party’s, a business’ or society as a whole. The GDPR lists some examples (see recital 47, 48 and 49) and this includes marketing. Some things to consider include:

  • What are you trying to achieve by processing the data?
  • Who benefits and how do they benefit?
  • How important are the benefits?
  • How severe would the impact of not carrying out the processing be?
  • Is the processing unethical or unlawful in any way?

The purpose doesn’t need to be compelling, in fact it can be very trivial, however the stronger the benefits the better when it comes to the balancing test.

The necessity test is similar to the contract one. It doesn’t need to be essential, but there must not be another reasonable way that intrudes less on someone’s privacy to achieve the same results.

The balancing test is exactly what it says on the tin. It’s about balancing the benefit of the processing against the interests of the individual. This doesn’t necessarily mean that the processing must benefit the individual, just that the benefits must outweigh the ‘harm’ to the data subject. Essentially, you have to consider if the individual would face ‘unwarranted harm’ or if their data would be processed in a way they would not reasonably expect. If the unreasonableness or harm of the processing is greater than the benefit, you cannot rely on the legitimate interest basis.

Some things to consider when assessing harm, expectations and this balance are:

  • Your relationship with the individual
  • How sensitive the data is
  • Would people expect their data to be used like this?
  • Is it easy to explain while still sounding ethical?
  • The impact on the individual
  • Are vulnerable people’s data, such as children’s, being processed?
  • Can you minimise the data usage more?

In addition to this you should offer opt-out’s whenever appropriate and make it easy to find out how to opt-out. The more trivial the purpose the easier it should be to opt-out. You should also document this decision and the process of this decision making and communicate the purpose and use of data to the data subjects.

So can I continue to use my data and do I need to change how I collect data?

We’re back to the question this article aims to answer. In short, it’s going to vary on a case-by-case basis. For each use you need to assess whether your data meets any of these interests and the requirements within them and then choose the most appropriate one. It may be a case that you narrow down your existing database of personal data for the ones that you are unsure if they meet these requirements.

For existing data, it must meet these requirements. For example, if you’re relying on consent, you must make sure that all the consent previously given meets this heightened level of consent. For data you’re collecting now, you must make sure that your data collection process is adjusted to meet the requirements.

When you’ve assessed this, you should:

  • Document the decision
  • Document the process of reaching this decision and why you’ve chosen this lawful basis
  • Communicate your use of data, your legal basis and your purpose to your data subjects
  • Continue to ensure that data usage falls in the same lawful basis

You must also ensure that you are then protecting an individual’s rights: see GDPR Part 3 – Citizens and their data: What do I have to do for my data subjects?

Nothing on this site constitutes legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required.

The contents of this site are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

For more information you can read the regulation here or visit the website of the Information Commissioner’s Office. Specialist legal advice should be taken in relation to specific circumstances.

Published April 3, 2018