It’s the final countdown to GDPR. It becomes law this week and the general consensus from a lot of marketers, business owners and even legal experts is that they are still not quite sure if and how they can legitimately process personal data for their various operational purposes.
“Consent” seems to have become the default, or utopia, for satisfying GDPR, when in fact there are six legal bases for processing personal data. Consent is just one of these, and even the ICO admits “the GDPR sets a high standard for consent. But you often won’t need consent.” Even if you obtain it, the data subject may withdraw it at any time. To the consumer it also sounds like a slightly sinister committment to an eternity of marketing emails.
The many organisations chasing consent like headless chickens may be taking unnecessary and laborious action, especially if they are B2B, as we explained in our blog about legitimate interest, which is likely to be the sound legal basis for many marketers. There are employers scratching their heads wondering if their own employees need to consent to opting-in to the storing and processing of their bank details so they can be paid every month. In this situation there are other more relevant bases, like the contract between the employee and his/her workplace.
So what are these four other bases? Besides consent and LI, the remaining options are Contract, Legal obligation, Vital interests and Public task. There is not much talk of these – granted they are not as relevant as consent and legitimate interest for marketers, but the world of marcomms encompasses all genres of communication that are now subject to GDPR. For professionals with responsibility for marketing and communications as well as areas like HR and data audits/strategy, these other legal bases are worth exploring and understanding.
Let’s take a look at these other bases in more detail.
There doesn’t have to be an actual contract in place between two parties here. This basis refers to processing someone’s personal data to fulfil your contractual obligations to them (e.g. process and deliver an online purchase or an employment contract), or because they have asked you to do something before entering into a contract (e.g. provide a quote):
“The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply and you should consider another lawful basis, such as legitimate interests.” The ICO
One of the GDPR rumours is that businesses will flounder because they won’t be able to respond to customer enquiries without a database of fully-consenting opted-in clients. But if a prospect or customer wants a quote or service, then processing their data is likely to be legitimate under the Contract basis. Of course, what you do with their data thereafter is important. You can’t just add it to a marketing pot or even use it to profile an individual's interests, if it is not necessary to perform the contract itself. Your privacy notice should be updated to make it clear what happens to that data and how long it’s kept for, with justification.
Sounding similar to contract obligations, legal obligation is a basis you can rely on to comply with a common (UK/EU) law or statutory obligation. It isn’t something new, it hails from the 1998 Data Protection Act, so if you are looking at this using this basis and satisfy current law then you should not need to make huge changes.
“The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.” The ICO
This takes us back to the employer/employee scenario, and the misunderstanding of consent. For example, you can rely on the Contract basis to hold an employee’s bank details and rely on Legal obligation to legitimately disclose employees’ salary information when requested to do so by HMRC. Other examples from the ICO include a court order, Act or regulatory requirement that request certain personal data you hold.
It’s important to note under this basis, the individual has no right to erasure, right to data portability, or right to object.
This basis is one you’re unlikely to encounter (hopefully), particularly in a business context. It really is there for matters of life and death, such as disclosing a data subject’s details in a medical emergency or protecting a child.
You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, and planned medical treatment is unlikely to fall into this category.
Any organisation exercising official authority or carrying out a specific task in the public interest can rely on this basis. The focus is on the nature of the function, not the nature of the organisation. It is similar to ‘processing for functions of a public nature’ within the Data Protection Act 1998 so is not really anything new.
You’ll have a lawful basis for processing if you’re
- carrying out a specific task in the public interest which is laid down by law; or
- exercising official authority which is laid down by law.
Private companies may fall into this remit if the nature of the function in question is in public interest, e.g. water companies carrying out a public service.
For all of the bases, you should consider:
- how to keep a record and justification for each basis you’re relying on
- an alternative basis if you’re not confident it’s right – it’s difficult to swap to a different one later on
- individuals’ rights to erasure, data portability and right to object (this differs between the legal basis, but an individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies)
- the need to document your decision that the processing is necessary
- if there is another reasonable way to achieve your purpose without processing the data.
The ICO has a user-friendly lawful basis interactive guidance tool which you can explore here.