The General Data Protection Regulation comes into force tomorrow. Despite what you may have heard, GDPR is not only about getting consent to process the personal information of those people your company interacts with. In the last few days, as the implementation date approaches, you may have been forgiven for believing this to be the case. A degree of panic among businesses appears to have set in regarding the consent issue. Stories of unnecessary GDPR consent emails clogging up inboxes have been widely reported. And the Information Commissioner’s website that contains detailed GDPR compliance guidance has crashed. Whether this is due to the sheer volume of traffic following relentless media pressure is unclear.
At Big Data Law we have been advising on and writing about GDPR implementation for some time. Granted, it represents a big change for businesses that handle personal data with heavy fines a possibility. But it’s important not to overreact. Bespoke advice from a specialist solicitor ensures your business meets its GDPR obligations in the right way and provides peace of mind that you won’t face regulatory intervention.
SIX LAWFUL BASES FOR PROCESSING DATA
The media focus on the issue of consent is misleading. In fact under GDPR there are six ways to lawfully process personal data. These are:
- Consent – which must be given clearly
- Contract – where data processing is necessary for you to perform a contract with the individual
- Legal obligation – where you need to process the information to comply with the law
- Vital interests – when the processing of data is essential to protect a life
- Public task – where you need to process the data to do something in the public interest
- Legitimate interests – when processing is necessary in the legitimate interests of you or a third party
It’s important for our clients to understand that they must establish the basis of processing before they start. And it’s worth giving this careful consideration because it’s not always straightforward to change your basis for processing later on.
CONSENT AS THE BASIS FOR DATA PROCESSING: WHAT DOES GDPR SAY?
GDPR is all about giving the individual greater protection over his or her personal data. When it comes to consent this means companies must meet a higher test than under the previous law. So a pre-ticked box on your website for example will not be enough to infer consent. Instead you must obtain explicit consent by using clear language. And it must be easy for the individual to withdraw consent at any time.
Reassuringly however the Information Commissioner has been quite clear that companies do not necessarily need to obtain fresh consent from everyone on their databases. If the current consent meets GDPR standard there is no obligation to get further agreement to process an individual’s data.
GETTING THE RIGHT ADVICE
This misconception that new consent is necessary in EVERY case perhaps explains the explosion in emails coming from companies trying to cover themselves in the immediate run-up to GDPR. But every company and every data set is different. With specialist GDPR advice you can ensure your company devotes its energies to complying with the new data protection landscape in the correct way.
At Big Data Law in London we offer a range of GDPR compliance services to national and international bodies. For an initial conversation on your GDPR requirements call one of our specialist solicitors on 0203 670 5540.