Published: Monday January 22, 2018
A blog by Kate Lewis, Head of Privacy and Data Compliance
When the ICO (Information Commissioner’s Office) published its consultation on GDPR and consent last March, it left many unanswered questions for businesses. The good news is things are now much clearer, thanks to guidance from the EU’s Article 29 Working Party.
The main thing to note, is that if consent is obtained prior to 25 May 2018 and meets all of the conditions required by GDPR, it will remain valid when the GDPR comes into force.
I understand, however, that for a lot of businesses the data previously gathered under the processing condition of ‘consent’ will not be valid. In light of this, we were particularly pleased to read this paragraph:
“If a controller finds that the consent previously obtained under the old legislation will not meet the standard of GDPR consent, then controllers must assess whether the processing may be based on a different lawful basis, taking into account the conditions set by the GDPR. However this is a one off situation as controllers are moving from applying the Directive to applying the GDPR. Under the GDPR, it is not possible to swap between one lawful basis and another. If a controller is unable to renew consent in a compliant way and is also unable to make the transition to GDPR compliance by basing data processing on a different lawful basis while ensuring that continued processing is fair and accounted for, the processing activities must be stopped. In any event the controller needs to observe the principles of lawful, fair and transparent processing.”
So, what does this mean in practice?
As long as you have been clear with an individual about how you intend to use their personal data, you may change the lawful processing condition you are reliant upon. However, it’s important to stress that this decision must be made before GDPR comes into force. If you decide to do this on 26 May or later, the option is no longer available. So, if you’ve been relying on consent which does not meet GDPR standards, you may find you are unable to use any of that data.
We believe consent is one of the weakest conditions to rely upon – it’s harder to obtain and can be withdrawn at any time. My advice would be to take the time now to really consider the processing conditions you intend to rely upon.
To help, we’ve created the following checklist:
- Have you been clear with an individual about how you will use their data? If yes, document your position, including evidence of what an individual was told, and what lawful processing condition you intend to rely upon for processing their data in the future.
- If you are processing the data under Legitimate Interests, ensure you complete a balancing test (click here to use our free template, in the ‘GDPR Customer Roll Out’ section)
- Are you confident you can defend the decisions you have made to an individual or a regulator?
Whilst these four steps are to be used as a guide and we can’t offer legal advice, it should put you in a strong position to help evidence compliance with the requirement.
At GBG, we really welcome this clarification as it supports our own GDPR program, where we have been asking customers and data partners to consider their lawful processing conditions.
In my view, consent cannot be used with third party data partners as it’s difficult to meet the clear and transparent requirement. This is because you don’t know what data will be shared, with whom, and why. You would need to name every single third party that data is shared with. Can you confidently do this and be sure it won’t change?
If there is another condition you can rely upon other than consent, you should do so.
We believe the strongest conditions GBG’s customers should be relying upon are:
- Compliance with a Legal Obligation
- Public Interest
- Performance of a Contract
- Legitimate Interest
We’ve struggled to identify a scenario where one of our customers using GBG’s products, and therefore third party data from GBG’s partners, would be able to meet the criteria required to rely on “Vital Interests” as a lawful processing condition.
To find out more information about how GBG’s products can support your GDPR compliance, or to understand more about GBG’s own GDPR plan, visit: www.gbgplc.com/our-gdpr-compliance-plan.