Alex Evans, The Supper Club‘s programme director, explained that chief among the hurdles of GDPR is how you gain consent or “legitimate interest” in order to process personal data.
“Until now, businesses only had to ask consent once to cover all uses,” Evans said in the report. “Under GDPR, businesses will need separate permission for each different use of data. Consent must also be freely given, informed, clearly agreed and proven.”
You’ll need to explain what you intend to do with said data, in a concise and jargon-free manner. And as Evans suggested, for each time you want to collect data in the future, you need to ask for permission. At the very least you need an existing relationship to send marketing emails.
Steve Henderson, communicator compliance officer at the Direct Marketing Association (DMA), suggests that gaining legitimate interest might be easier.
“You still need to explain and give relevant choices and appropriate control over what you do; but you have a little more flexibility over how you give this information because you can explain about the new data use when you start using it,” Henderson said.
“Weigh up your right to market to someone against their right to privacy; there has to be a clear opt-out offer and a compelling case for why someone might be interested in those goods or services.”
Of course, a justifiable reason for using legitimate interest in needed. If the ICO disagrees with your approach, you should be able to explain your reasoning. The Supper Club members all make one crucial point: If the ICO does comes knocking on your door, no matter how valid a point you feel you might have, listen to what it has to say and don’t outright ignore any contact it makes.
Writing for Real Business, CEO and founder of personal data governance company PORT.im, Julian Saunders, discusses the mistakes SMEs are making in their GDPR opt-in emails.
Consent also applies to employees
“Currently, employers can justify processing personal data on the basis of employee consent; but there is doubt as to whether or not consent is given freely in the employer-employee relationship,” says Ally Maughan, CEO of People Puzzles and a member of The Supper Club. GDPR will make it harder for employers to rely on consent to justify processing.
As with the customer side of things, employers will need to document the lawful grounds for using personal data. To help employers prepare for changes under GDPR, especially in the way of employee contracts, Olivia Sinfield, associate director at law firm Osborne Clarke, set out some guidance in the report.
“Establish what data is processed, why and for how long and then consider which of the legal grounds for processing apply to each data type,” she said.
“Remember that the use of generic clauses in employment contracts which seek to obtain broad consent from the employee to processing of their personal data will not be valid. This is largely because such consent is not ‘freely given’ due to the imbalance of power in the employment relationship.”
“Your contracts should include a re-written data protection clause making compliance with employee obligations in respect of data processing a term of the contract and specifying that breach may result in disciplinary action being taken, up to and including summary dismissal.”
Additional advice included re-writing your Privacy Notice and Data Protection and Information Handing policy. That consent provisions must be included in a separate declaration which is not intrinsically linked to the employee’s acceptance of employment, is another area of importance.
Perhaps most importantly, there needs to be an internal process for communicating with employees these changes. Transparency is definitely key.