Think ‘Consent’ is the only choice for GDPR compliance?
GDPR (General Data Protection Regulation) was finally enforced on May 25th 2018 after years of negotiations between the EU states and supersedes the data protection directive of 1995. GDPR regulation is to protect all EU citizens data and privacy from breaches in today’s data-driven world. There were many questions around this topic of understanding the GDPR regulation while it was enforced. After some recent interactions during data privacy conferences, training and client conversations, I thought there is a need to clear the air on one prudent topic of consent as a legal basis of data processing under the GDPR. There are some who tend to think that “consent” is the most appropriate or “safe” way of complying with ‘legal basis of data processing’ requirement of GDPR. Some even believe or are led to believe that consent is the ‘only’ legal basis. Both assertions are false.
GDPR article 6 specifies six different ways of establishing the legal basis of data processing, of which consent is one. Of course, consent is by far the most discussed option due to many reasons. In the past, approach to obtaining consent has been interpreted in variety of ways. The other main reason being the repercussions on sales and marketing including that on the website and mobile app vis-à-vis user consent.
The other 5 GDPR compliant legal bases are about, to sum up in one phrase, “the necessity of processing”. Further, no single basis out of these 6 is ‘better’ than the others.
The other 5 valid legal bases are as follows:
performance of a contract
meeting a legal obligation
to protect the vital interest of the data subject
for public interest
for the purposes of legitimate interest – this is an interesting one and more details follow momentarily
Let us consider each of these –
Performance of contract: When a controller is in a contract with the data subject or is a part of steps required to enter into a contract. Example: In online shopping scenario, an EU data subject has ordered a product. The online commerce company must process personal data such as name and address for fulfilling the contract, i.e. to deliver the product to the subject’s address.
Legal obligation: When a controller needs to process information to comply with an EU member state law. Example: Under court orders, the controller has to process the data subject information
Vital interest: When the data processing is necessary to protect someone’s life. Example: when a data subject is unconscious. Outside of hospitals and humanitarian care such as in case of nature disaster, there is very limited applicability of this basis
Public interest: When data processing is done for the performance of a task carried out in public interest. Outside of public authorities and other public service agencies, there is very limited applicability of this basis
Legitimate interest: There are number of factors used for a careful assessment of when to use this basis. For example, it may be satisfied
When processing is necessary for the purpose stated
The purpose is a legitimate interest of the controller or a third party
Legitimate interest cannot be overridden by the data subject’s interests or fundamental rights and freedoms
The third consideration here covers the ‘balance of interest’ between the controller and data subject. The regulation emphasises that reasonable expectations of the data subject based on their relationship with data controller should be taken into account.
The legitimate interest option can potentially be used in a range of business processing scenarios. Following are just a couple of scenarios where legitimate interest can be used as valid legal basis
Scenario 1: processing of personal data for direct marketing purposes. For instance, when a data controller has obtained customer’s email during sale of a product or service and uses it to send marketing communication with opt-out option.
Scenario 2: processing strictly necessary for purposes of fraud prevention.
Businesses have been provided with an array of options under GDPR to establish the legal basis of processing. In particular, legitimate interest could be an alternative to using consent. A diligent exercise should be undertaken by a business to determine which legal basis of processing is optimum and will be used. Same should be documented with justification. Legal bases for different processes involving personal data should be established before starting the data processing.
It may be potential GDPR non-compliance if a business retrospectively wants to change the legal basis.It will not be uncommon to find businesses, as they become GDPR compliant, that may have ‘consent’ as the least used of all the options.