When you're a business attempting to ready yourself for any piece of significant regulation, you'd be forgiven for feeling adrift when trying to understand the vagaries of compliance. GDPR, as my colleague Nikki Risi pointed out in her latest post on the subject, is a case in point.
And it's not surprising that businesses are concerned about their lack of the understanding, with headlines around the new data protection regulations being so focussed on the hefty fines for non-compliance, a mild sense of panic has ensued in some areas. But in their latest myth-busting podcast on GDPR, ICO Commissioner Elizabeth Denham explains that the tenure of the new law is less about penalties and more about incentivising companies to step up and take their responsibility for people's data seriously.
But how do you ensure that you've read and understood all the implications of the legislation and how it applies to your business?
Well, to be fair to the ICO (who will be the ones administering and enforcing GDPR) they have a wealth of guidance on the subject - from understanding what are the lawful reasons for processing data to outlining the extended rights that individuals will now enjoy with regard to their data.
However, there are still for me some areas that require more clarity, and certainly a decision from you as to which is the best fit for your organisation.
One oft-highlighted emphasis of GDPR is on a higher standard of consent - the understanding that a person will be able to unambiguously and affirmatively consent to a business processing their data in a particular way.
The benefits to the individual are that they have real choice and control over how their data is used; and for the business getting consent right reflects the importance you place on providing a great customer experience, built on confidence and trust.
Yet, with consent having to be fully informed, there is potentially a burden on your business to provide clear and exact detail to individuals as to what that consent means, how data will be processed, stored and used by you (via your privacy information) and how you will inform them if/when this might need to be revised for new activities. You will also have to evidence how and when you acquired consent, how you will update that consent where needed and make it easy for someone to withdraw their consent at any time.
Given those prerequisites, you may not choose consent as your chief GDPR compliance mechanism - in which case, you need to consider what other "lawful basis" you are using to justify your processing of personal data.
Outside the bases of "legal obligation" (for example, processing salary data for your staff) or "contract" (for instance, where you've been asked to send a quote to someone you need to process their information to do so), companies will be able to cite "legitimate interest" as their rationale for processing data.
What does this mean? Well, in the words of the ICO again: "legitimate interests is the most flexible lawful basis... [and] is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact". For instance, Recital 47 of GDPR states: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
For some organisations, this might seem like a panacea in GDPR terms; it appears that under this basis you don't need consent, you can still process personal data if it doesn't go beyond people's "reasonable" expectations and it is in your commercial interest to do so.
However, caution should prevail here; warnings abound over trying to play fast and loose with the legislation by choosing this as your justification for all future marketing endeavours. In his post on the subject, Dr Jonny Ryan of PageFair describes some businesses as clinging on to a false hope here, fostering an "erroneous supposition that they will not have to ask people for permission use their personal data."
Indeed, as you'd expect in any sound piece of regulation, just as for consent, there will be a significant burden of proof on any company opting for this route of compliance, via a legitimate interest assessment (LIA). This LIA is essentially a risk assessment document which records your business necessity in using an individual's data balanced against the impact on that individual of you using their details to forward your "legitimate interests". In addition, as for consent, you will need to include details in your privacy statements as to how you will be processing personal information and a justification of your business purposes for doing so. Phew! (Note: there is still no specific guidance from the ICO on correct implementation of "legitimate interest" as a mechanism for compliance with GDPR. However, I would highly recommend the guide produced by Communicator Corp as well as that created by the DPN, both offering sound judgement and direction to business on how you might implement).
In short, neither route to compliance, consent nor legitimate interest comes without some effort. But companies that have always aimed to be fair and conscientious in the way that they handle and treat their contact data should feel confident that their route to compliance, whichever basis they choose, will not be a troublesome one with just a bit of endeavour.
Which way will you choose?
What does 'legitimate interests' mean and how might it apply? Fairly obviously, the term refers to the stake that the company processing the personal data may have in that processing. This may imply a benefit for that company itself or perhaps for wider society. As the DPN points out, a legitimate interest 'must be real and not too vague'. For example, it may apply to an organisation's data processing as part of fraud protection, security measures or transferring that data between different parts of an organisational group. Some of this may already be part of legal compliance. These sorts of interests may seem pretty fair to the average reader, and indeed the expectations of users is one of the elements that the ICO guidance earmarks for consideration when a data controller is deciding whether to rely on legitimate interests.