Four months and counting…
The GDPR comes into force on 25 May. Widely publicised as one of the biggest legal shake-ups in years, many businesses are understandably apprehensive about how the regulation will be implemented and, more importantly, how they can ensure that they are compliant.
The overarching requirement of the regulation is that the manner in which you collect, store, control, process and transfer personal data (i.e. information which can identify a living individual) is fair and lawful, but also transparent.
Our advice to you is that, as a data controller or processor, you should be making data subjects (individuals) aware as to how/when/why/what data is collected, stored and processed. Make it easy for data subjects to know how they can change this processing if they have a legal right to do so.
Although this isn’t everything you need to consider from a legal perspective. Perhaps one of the most commonly confused areas is whether or not you must obtain consent from individuals in order to process their data.
In some instances this is correct – but not always. There are many other “bases” under the GDPR which allow lawful processing which completely remove the requirement to obtain consent.
For example, personal data can be processed on the basis of you having a “legitimate interest” (i.e. you have a lawful business interest in processing the data and the impact resulting from that processing on the individual’s rights and freedoms is minimal). The term “legitimate interest” is not clearly defined within the regulation but is likely to be interpreted widely; the GDPR states that “direct marketing” may be a legitimate interest, for example. If you do have a legitimate interest in processing the data there is no need to obtain consent from the data subject provided that you inform the data subject that you will process the personal data in a specific way, and that you have a legitimate interest in doing so.
You may also process personal data if doing so in “necessary” in order to fulfil a contract you have with the data subject. Again, if this “base” is engaged there is no requirement for you to obtain consent in respect of that processing.
There are a number of other lawful “bases” under the GDPR, separate to consent. If these are engaged, you won’t need to obtain consent.
We see consent as a last resort. In other words, only rely on obtaining explicit consent from data subjects where none of the other bases are engaged. An example would be where you are processing sensitive personal data – under the GDPR sensitive personal data generally cannot be processed unless it is with explicit consent of the data subject (or other exceptional circumstances, such as processing being in the data subject’s vital interests).
The GDPR and data protection law can seem confusing. Our experts here at Briffa will be able to help you if you need a steer.