Alex Evans, The Supper Club‘s programme director, explained that chief among the hurdles of GDPR is how you gain consent or “legitimate interest” in order to process personal data.
“Until now, businesses only had to ask consent once to cover all uses,” Evans said in the report. “Under GDPR, businesses will need separate permission for each different use of data. Consent must also be freely given, informed, clearly agreed and proven.”
You’ll need to explain what you intend to do with said data, in a concise and jargon-free manner. And as Evans suggested, for each time you want to collect data in the future, you need to ask for permission. At the very least you need an existing relationship to send marketing emails.
Steve Henderson, communicator compliance officer at the Direct Marketing Association (DMA), suggests that gaining legitimate interest might be easier.
“You still need to explain and give relevant choices and appropriate control over what you do; but you have a little more flexibility over how you give this information because you can explain about the new data use when you start using it,” Henderson said.
“Weigh up your right to market to someone against their right to privacy; there has to be a clear opt-out offer and a compelling case for why someone might be interested in those goods or services.”
Of course, a justifiable reason for using legitimate interest in needed. If the ICO disagrees with your approach, you should be able to explain your reasoning. The Supper Club members all make one crucial point: If the ICO does comes knocking on your door, no matter how valid a point you feel you might have, listen to what it has to say and don’t outright ignore any contact it makes.
Writing for Real Business, CEO and founder of personal data governance company PORT.im, Julian Saunders, discusses the mistakes SMEs are making in their GDPR opt-in emails.
Consent also applies to employees
“Currently, employers can justify processing personal data on the basis of employee consent; but there is doubt as to whether or not consent is given freely in the employer-employee relationship,” says Ally Maughan, CEO of People Puzzles and a member of The Supper Club. “GDPR will make it harder for employers to rely on consent to justify processing.”
As with the customer side of things, employers will need to document the lawful grounds for using personal data. To help employers prepare for changes under GDPR, especially in the way of employee contracts, Olivia Sinfield, associate director at law firm Osborne Clarke, set out some guidance in the report.
“Establish what data is processed, why and for how long and then consider which of the legal grounds for processing apply to each data type,” she said.
“Remember that the use of generic clauses in employment contracts which seek to obtain broad consent from the employee to processing of their personal data will not be valid. This is largely because such consent is not ‘freely given’ due to the imbalance of power in the employment relationship.”
“Your contracts should include a re-written data protection clause making compliance with employee obligations in respect of data processing a term of the contract and specifying that breach may result in disciplinary action being taken, up to and including summary dismissal.”
Additional advice included re-writing your Privacy Notice and Data Protection and Information Handing policy. That consent provisions must be included in a separate declaration which is not intrinsically linked to the employee’s acceptance of employment, is another area of importance.
Perhaps most importantly, there needs to be an internal process for communicating with employees these changes. Transparency is definitely key.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.