GDPR: Reasons to be Lawful
There are six lawful reasons to store and process data. I covered one – ‘legitimate interests’ – in my last blog so I thought the next obvious step would be to explain the other five.
I’ll start in order of least general relevance to the majority of the conference industry, so we can quickly get the less interesting ones out of the way, and focus on the more relevant reasons. I’ll also use the terms set out in the act to avoid confusion:
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; it would be in the public interest for the Police to keep data pertaining to an individual’s criminal record for example. The ‘right to be forgotten’ is not an absolute right in this case!
- Processing is necessary for compliance with a legal obligation to which the controller is subject; it may be a legal requirement for a company to keep data relating to a person’s financial transactions – for accounting for example.
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;it’s perfectly acceptable to keep data relating to someone who you are starting a contract with, or that you are hoping to start a contract with. This could relate to a non-financial contract too.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes; this is the one that has alarmed everyone. As I have said before, if you can use any of the other five reasons for storing data, then do so. Do not go down the route of asking consent unless it is your only option.
If you do need to ask for consent, then you have to make sure that you ask for it clearly and on a granular level. Article 7 covers the conditions for consent and they are listed on page 17 of our GDPR white paper, which you can view here.
This option is very relevant when asking delegates to register for an event. I can categorically state that your event registration form will have to change under GDPR. When collecting data, consent has to be asked for in a clear and concise manner and not buried deep within the small print. Specific questions need to be asked; you cannot simply bundle consent into one ‘catch all’ statement that simply states ‘marketing’ – you must separate multiple purposes and reasons for using their data into different questions.
You also cannot dictate that consent is part of the deal – for example, that the subject is only allowed to enter an event or receive goods if they give their consent to receiving your newsletter – something you might be able to do if you were only using legitimate interests.
A data subject must give consent in an affirmative nature – i.e. they have to actively say yes, rather than simply not saying no. Equally, pre-ticked boxes that the subject has to untick are not allowed.
You also have to be able to prove that your data subject gave their consent and document exactly what they consented to. In 2016 Honda was fined £13,000 for marketing to people whose data was fed into their central database by their dealers. The dealers may have got permission to use the data, but mandatory fields were not filled in so they could not prove that they had specific permission to do so although interestingly, this was under Privacy and Electronic Communications Regulations (PECR) rather than GDPR so don’t think that just being GDPR compliant is enough!
Consent policies can change over time and so you must keep an audit trail of exactly what wording each data subject has agreed to. And obviously, you can’t change your policy and then assume that just because your data subject has agreed to a past policy that they give their permission for a newer one.
Consent relating to children’s data is a completely different matter and at the moment the acts around it are a little fuzzy as it’s written with information society services in mind (social media and the like). Thankfully it isn’t generally relevant to our industry, so we don’t need to worry about this.
It is important to remember that none of these reasons to store personal data are carte blanche to keep data indefinitely. You need to have a data retention policy that says how long you will keep personal data for – or at least, how you decide how long to keep the data for. More on that and also privacy policies in an upcoming blog.