GDPR is here !

Can you demonstrate that you comply?

Is this a Privacy Notice????

Well, it might be, but not in this country or in relation to data protection.

Hopefully by now, we all know that, under GDPR, when an organisation collects personal information from an individual, the controller (the organisation) shall at the time when the information is obtained, provide certain information regarding how they are going to process the personal data. This is a Privacy Notice, although it is often referred to as a privacy policy.

If personal data is obtained from a third party that does not negate the organisation’s responsibilities towards the individual and a Privacy Notice should still be provided, unless an exemption applies.

The purpose of the Privacy Notice is to provide information about how the individual’s personal information will be handled, including the legal basis for processing, who their information will be shared with (if anyone) and how long it will be retained. It will also explain the individual’s rights relating to the processing of the information.

A Privacy Notice should be concise, transparent, intelligible, use clear and plain language and be provided in an easily accessible form. Although, it can be provided verbally in some circumstances, it should be provided in writing, whenever possible, including electronic means.

If you have a ‘Contact Us’ page on your website or you obtain personal information through your website, then your Privacy Notice should be accessible through that means. However, in many cases, the Privacy Notice link on an organisation’s website directs the user to a Cookie Policy, not a Privacy Notice. These are not the same thing. Cookie Policies or, to use the correct terminology, Cookie Notices, will be covered next week.   

Legitimate Interests – A balancing act

‘Legitimate interests’ is one of the six lawful bases for processing personal data and is

regarded as the most flexible, as it can be used in many different circumstances.

However, it is not necessarily the most appropriate in every case and it can be more

difficult to satisfy the relevant criteria than some of the other legal bases. This is because

you will need to consider, not only the interests of your organisation, but the rights,

interests and freedoms of the individuals affected. In reality, legitimate interests is best

suited to situations where the individuals concerned are likely to have a reasonable expectation that your organisation will use their personal information in the way you have chosen to use it and where the impact to their privacy is likely to be a minimal.

If you choose to rely on legitimate interests, you will need to carefully balance the rights and interests of all parties concerned. The following 3 part legitimate interests test is useful for this purpose.

Purpose Test - You need to identify what the legitimate interest is. For example, you may believe it is in your legitimate interests to market your service or product.

Necessity Test – You need to assess whether you NEED to process the personal data in this way to achieve your goal. For example, do you need to conduct telemarketing to sell your product or service or can the marketing be done in a different, less intrusive way, such as online advertising or leaflet drops. If so, legitimate interests will not apply.

Balancing test
- You need to balance the interests of each party and assess whether the individuals’ interests override the legitimate interest identified. For example, in the case of marketing, you need to ensure that what you do is proportionate and will only have a minimal impact on an individual’s privacy and you do not use their personal data in a way that they are likely to object to. You also need to comply with the Privacy and Electronic Communications Regulations when conducting any form of electronic marketing, including marketing by email, text and live or automated voice calls.

Consent Under GDPR
Consent is one of the six legal bases that you can rely on to process personal

information and it is often relied upon for marketing. However, it is not always the most

appropriate and consideration should be given to the rationale behind relying on consent,

especially as consent can be withdrawn at any time and, if this happens, you cannot

simply switch to one of the other legal bases to process personal information. The

other five legal bases are; for the purposes of a contract, legitimate interests,

compliance with a legal obligation, vital interests or in the public interest.

 Historically, there has been confusion as to what consent is and many websites used wording that required an individual to ‘opt out’ (rather than ‘opt in’) or they used complicated wording, so no one was really sure what they were agreeing to.

GDPR specifies what constitutes valid consent, but despite this, many organisations are still not compliant.

Consent must be:

Freely Given
This means that you need to give the individual a ‘real choice’ about whether or not to provide consent, as they need to have control over what happens to their personal data. Also, GDPR requires that it must be as easy to withdraw consent as it is to give it.  Therefore, the consent may not be valid if:

·        the individual feels pressured to give consent because of an imbalance of power, such as in an employer/employee relationship;

·        the individual will suffer a detriment if they do not give consent, such as being denied access to a benefit or service simply because          they refuse to give consent for an unrelated purpose, such as marketing;

·        it is bundled up within non-negotiable terms and conditions of a contract;

·        the consent is a term of a contract, but it is not actually needed for the purpose of fulfilling the contract or;

·        the individual is subjected to a protracted process to withdraw consent.

GDPR requires transparency, fairness and lawfulness. Therefore, you should provide individuals with sufficient information to allow them to make an informed decision. This information could be provided in a Privacy Notice.​

If you propose to use the personal data in numerous different ways or for multiple purposes, you should give individuals a choice about which element(s) to consent to. For example, they may wish to consent to receive marketing from you but not from any third parties you are associated with or they may wish to consent to emails from you but not telephone calls.

Being specific, links in with the requirement for consent to be informed and granular, in that you must very clearly explain to individuals exactly how you propose to use their personal data and distinguish between the various elements of processing activities.

The consent must be unambiguous, which means that you must not use confusing language with double negatives etc.  Consent must be given by a clear affirmative action, such as ticking an ‘opt in’ box. ‘Opt-out’ boxes should not be used, and neither should pre-ticked boxes.

Clear affirmative action
A positive action by the data subject to confirm that they agree to the processing for that purpose.
Under the Accountability Principle of GDPR, you, as an organisation and a Controller, must be able to demonstrate that you obtained valid consent, before processing personal information. Therefore, it is important to, not only obtain GDPR grade consent, but retain proof of this as well.

It is now over nine months since the GDPR came into our lives (well, some of us considerably longer) and organisations are starting to get to grips with the concept of the new law. Although, many organisations seem to have a basic grasp of the principles, one that is often overlooked is the Accountability Principle, which really is paramount to you as a business.

Speaking at the 17th Annual Data Protection Practical Compliance Conference, James Dipple-Johnstone,

the ICO’s Deputy Commissioner of Operations warned organisations: "If you want to keep the ICO

from your door, don't underestimate the importance of transparency and accountability.”

So, what does this principle mean? In short, it means “prove it”. Prove that your organisation complies

with the GDPR. It is not good enough to simply say that you do. For example, you have to demonstrate

that you have appropriate policies and procedures in place; that you provide training to your staff;

that you have GDPR compliant written contracts in place with processors and joint controllers and

that you carry out Data Protection Impact Assessments, if you wish to introduce a change to how you deal with personal information, which is likely to result in a high risk to individuals’ interests.

In other words, you need to put in place appropriate technical and organisational measures to meet the requirements of the new law AND demonstrate that you have done this ie: you have to prove your compliance.