We often hear comments like “The GDPR is a consent based law” and ” Under the GDPR you must have consent”, yet nothing could be further from the truth. Let’s unpack where consent fits under the GDPR.
As consumers we have been trained to not trust most organizations with our personal data. We know they are going to abuse it for their own profits. With this context in mind the regulators knew that we would not give our consent to organizations who asked until some trust was restored. They knew that would take time. So the challenge was: how do we transition?
The other factor for regulators was consumer consent fatigue. The typical internet user is not terribly patient. When they click on something they expect to arrive at the information they clicked on – not on a preference notice that is requesting consent to do x,y and z. Imagine if those consent requests popped up every time you were trying to find something online?
With these factors in mind, balancing business needs with individuals privacy rights required some innovative thinking. First and foremost, the GDPR is a data protection laws for individuals. But it must consider the needs of the business community and create a clear path to allow businesses to use personal data, within reason and under certain circumstances that would be deemed acceptable by most people. This is where the concept of having a Lawful Basis of Processing came from.
Lawful Basis of Processing
There are 6 Lawful Basis of Processing stated in Article 6 of the General Data Protection Regulations, as follows:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The first one listed is CONSENT but the other 2 that the private sector can use are CONTRACTUAL and LEGITIMATE INTEREST. The other 3 are for Government and institutions.
So there are 3 “Lawful Basis of Processing” that an organization can chose from when making decisions about the collection and use of personal data. All the GDPR requires the organization to do is to group personal data by category and decide which lawful basis they will rely on for that category of data.
For example, your email address is considered personal identifiable data so any business wishing to use (process) that data to send you a message must think through and document which Lawful Basis of Processing they are going to use to send you messages. For the most part, sending promotional messages via email is a mix of all 3 options.
First we would look at CONSENT. All email addresses that we have consent for can be processed under 6.1a. Tracking and recording CONSENT may require some new technology like CASSIE by Syrenis – a Consent Management Platform otherwise know as a powerful Preference Centre. Smaller companies may simply create a field in their Email Service Provide like MailChimp, that states the Lawful Basis of Processing, where the proof is stored and the date of consent.
Under the GDPR, consent is not forever like it is under CASL here in Canada. An organization must renew consent on a regular basis and have a sound rationale for that decision. For example a car dealer might say consent is for 3 years because that’s the typical lease period. In order to continue emailing a specific email address after 3 years they must request consent again.
Some of the organizational email list consists of customers and some messaging about things like warranties and recall, etc are considered transactional messages. The Organization can rely on CONTRACTUAL to send these kinds of messages and may be able to claim LEGITIMATE INTEREST for all other types of email messages. The tricky part of CONTRACTUAL is – the email must be necessary to fulfill the contract. Obviously promotional messages for other products do not meet that criteria.
Most direct marketing activities are considered LEGITIMATE INTEREST but a Legitimate Interest Assessment should be on record to show the organization thought this through and is aware of any potential risk to the individual or violation of their privacy rights. Remember, a CRM or ESP data file should contain a record of the selected Lawful Basis of Processing, where the proof is stored and the date. Under any data protection or privacy law having CONSENT, CONTRACTUAL or LEGITIMATE INTEREST is not good enough – you must be able to PROVE IT if requested by a Data Protection Authority! Some new processes may have to be put in place that allow you to do that.
All email messages require a working unsubscribe mechanism. An individual must be offered the opportunity to be removed from an email list. This is known as an “opt-out regime”. By comparison, Canada has opted for an “opt-in regime” under the Canadian Anti Spam Legislation (CASL).
Respect, choice and transparency are at the core, but as you can see, CONSENT is not the only Lawful Basis of Processing under the GDPR. Yet all require thought and consideration as well as documentation by the organization. We have helped large and small organization figure our their Privacy Management Programmes which includes creating policies and procedures manuals and staff training. Contact us at privacy@newportthomson.com