It’s the final countdown to GDPR. It becomes law this week and the general consensus from a lot of marketers, business owners and even legal experts is that they are still not quite sure if and how they can legitimately process personal data for their various operational purposes.
“Consent” seems to have become the default, or utopia, for satisfying GDPR, when in fact there are six legal bases for processing personal data. Consent is just one of these, and even the ICO admits “the GDPR sets a high standard for consent. But you often won’t need consent.” Even if you obtain it, the data subject may withdraw it at any time. To the consumer it also sounds like a slightly sinister committment to an eternity of marketing emails.
The many organisations chasing consent like headless chickens may be taking unnecessary and laborious action, especially if they are B2B, as we explained in our blog about legitimate interest, which is likely to be the sound legal basis for many marketers. There are employers scratching their heads wondering if their own employees need to consent to opting-in to the storing and processing of their bank details so they can be paid every month. In this situation there are other more relevant bases, like the contract between the employee and his/her workplace.
So what are these four other bases? Besides consent and LI, the remaining options are Contract, Legal obligation, Vital interests and Public task. There is not much talk of these – granted they are not as relevant as consent and legitimate interest for marketers, but the world of marcomms encompasses all genres of communication that are now subject to GDPR. For professionals with responsibility for marketing and communications as well as areas like HR and data audits/strategy, these other legal bases are worth exploring and understanding.
Let’s take a look at these other bases in more detail.