GDPR: the hows and the whys
In the third of a series of four articles, marketing expert Charlotte Graham-Cumming, director of Varia Solutions, examines the bases for legal data processing under the new laws
With new legislation to comply with from May 25, it is essential to those companies and retailers that will be processing data to make sure that they are legally entitled to do so and that they perform the task in a lawful way.
There are eight basic eight principles that underpin GDPR, and six bases for processing data lawfully.
In this article, we review what they are, and how they should impact your risk assessments and processing decisions – see the two boxout panels on this page for more information.
Ideally you should use these eight principles when formulating any risk analysis, data processing or decision around personal data. It’s a useful checkpoint to help keep you on the right track in terms of compliance.
As you will see, there’s a lot to consider in relation to GDPR. However, following the framework I have outlined should make it simpler to understand and to keep within the letter of the law.
If you work with an expert, you’ll definitely progress faster, particularly as they’ll have access to templated documents and processes.
There’s no need to panic, but don’t bury your head in the sand either – May 25 is only round the corner.
Can I use the data legally?
Once you have understood the principles in the other boxout panel, you need then to look at what lawful basis you can use to process the various elements of personal data that you have. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
The six bases for lawful processing are:
Did I get consent from the individual to do this? Be aware that consent can be easily withdrawn.
In the creation or maintenance of a contract.
- Compliance with legal obligation
For example, for tax and financial record-keeping or employment law.
- Protect the vital interests of the individual
In the case of emergency medical treatment.
- In the public interest or on official authority
For example, a criminal trial.
- Legitimate interest
There are specific criteria for being able to process personal data using legitimate interest. Direct marketing is allowed, however you should make yourself familiar with the Personal Electronic Communications Regulation (PECR), because that overrides GDPR in some instances (see https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr). For example, you can’t direct market via e-mail without a consumer’s consent.
The principles for processing
Lawful and fair processing
In the context of the individual, consider whether you are breaking any laws and if the way in which you’re processing the data is “fair” to the individual.
Only for specified purpose
When you process personal data, you have to state for what purpose you are using it. For example, when you process data to fulfil a contract (see ‘Can I use the data legally?’ panel), you can’t then use that data for marketing purposes, unless you have consent to do so. As soon as the purpose for processing that data changes, you need have a new lawful basis in place for processing.
Use it adequately and relevantly
This provision is to tackle companies using data in a way that is not relevant to the individual. For example, sending hundreds of marketing e-mails each year to people, sending them content that’s not relevant to them, or sharing their data with irrelevant third parties.
Keep data accurate and up to date
When you store personal data, you have an obligation to ensure it stays accurate and up to date, so you’ll need to screen it regularly. This can be done through self-service, asking people to update their own information, or by processing your data through a third-party tool.
Don’t keep longer than necessary
There are no hard-and-fast rules here, as it can change dramatically by industry. You need to assess how long you need to keep the personal data for and why. For instance, you could keep data in case of a product recall for seven years, but remove from your marketing lists after one year, if there is no response to your campaigns.
Data processed in accordance with data subject rights
There are a number of individual rights that you have to be aware of, such as right to access, right to correct, right to remove, etc. Make sure you can accommodate these rights within the required time frames.
Take appropriate measures to protect data
Security is a huge consideration in GDPR, especially given recent, high-profile data breaches. You need to ensure that you have the right staff training, accountability and technical measures in place to reduce the risk of a breach.
Only transfer data internationally if that country and organisation is GDPR-compliant
Investigate whether the countries you deal with have a safe-harbour agreement with the EU and ensure all entities you share data with have signed a data-processing agreement with you.