As a likely DPO candidate, I’m still having a touch of a tricky time getting to grips with some of the key GDPR concepts, and in an attempt to better familiarise myself with the essential parameters, I am writing this piece as much for my own erudition as for the readers.
At the heart of most of this are these 3 key conditions:
While the first and third parts are pretty self-explanatory, it is the 2nd part which has some inherent complexity, and which falls within the realm of ’Legitimate Interest Assessment’.
The broad regulations around customer data processing are stated in the following articles of law:
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
I see the above points as a logical evolution from the older EU Cookie Laws - where all websites are already required to offer opt-outs, although the details provided for what the cookies precisely did have always been pretty scant. GDPR is going to force everyone to be very much more explicit about exactly what is going on and by whom.
Legitimitate Interest Assessment is an exercise whereby you examine and justify exactly how your customers’ data is being processed and to whose benefit the processing is done. There are obvioulsy numerous services which require a series of manual and/or automated follow-on tasks to deliver the various aspects of the service to the end consumer. When a consumer signs up or signs on for a service - say by registering on and logging into some sort of website or digital app - somewhere along the way, the customer will be required to give their consent via opting in and ticking certain tick box options - ’agree to terms’ etc,. What you describe therein must be wholly explicit, clear and concrete - remember that the customer can opt out at any time and require you by law to remove all their personally identifiable data from your systems. If it were my details and I though someone was doing something suspect with them I would immediately require that my details be removed, lest they found their way into the hands of shadowy criminal elements and/or spammers. So it really is not in your interests to try to hoodwink or confuse your consumer - you need to be honest and upfront, and explain how and why the data processing is required to render the core and essential services the customer signed up for, as well as ongoingly maintain and improve standards of quality. Using logfiles to track a customer’s every activity - like we do in Affino - must be justified as part of improving the personalisation, and general experience of the services we provide. Every tracker or conversion event we log is done in the service of being able to more quickly and effortlessly connect the consumer to the exact content, service or function they need.
Yes there will be Terms & Conditions, but we will try to be as explicit and holistic in describing what we do and why - having some clear support and reference pages to explain to the consumer what is likely to happen to their data and how. There are further broader categories of security, safety, liability and other legalities which are pertinent to data processing, but which may be in addition to those core elements stipulated upon sign-up. These elements in particular will require thorough assessment and justification.
It’s in your own best interests to be thorough and transparent - it will encourage customers to be open and honest with you in turn, and should lessen the likelihood and instances of requests for opt-out, removal or erasure.
This exercise involves ratifying that indeed the data processing you carry out is essential to the delivery of the various services your consumers have signed up for - and that those various tasks cannot be handled in other ways. You essentially break down the individual components of processing, data stored etc. and justify the specific use of each. You then triangulate each task to show that it needs to be done in the manner you propose, and could not be handled in any other way to achieve the same outcome.
There are of course ways to try to smother meaning or discombobulate by using obtuse legal terminology or flowery language - yet the consumer will typically find you out - which would likely mean a mass exodus of disgruntled customers and a very hefty fine from the legislators.
Most marketeers are thinking about how all this impacts on direct marketing, list marketing and the like. And in the truest sense, list marketing of old will be wholly outlawed - as for a 3rd party to be in possession of your personal details without your explicit consent will be utterly against the law come May 28th 2018, and will be penalised by the harshest of financial penalties ever seen in this area.
You will need to evolve more clever and more automated processes to ellicit sign-up and consent from your consumers. An example of this is to use Category- / Topic- based content subscriptions rather than send out manually scheduled or organised mailers. With content subscriptions - a customer signs up to content categories of interest - usually article sections - and each time a new article, video etc, is added to a pertinent interest category, then the consumers who signed up will be notified of new content.
Should you then proceed to abuse said mailer by hooking in too many 3rd party or unrelated elements - say banners etc. the customer has course to unsubscribe, opt-out or worse. The ’blanket’ and ’fire-bombing’ mass campaigns of old simply won’t work within the new GDPR paradigm - every time you send something manually, you will need to do a proper Legitimate Interest Assessment - to ensure that you are complying to the letter and spirit of the law. If you have a series of automated services that the customer signs-up to and manages themselves, then there is less need for paperwork and additional processes.
The Necessity Test is an essential check to ensure that you are complying with the spirit and letter of the new law, and that you are not going to be abusing your customers or their personal details and data.
This is weighing up the rights and interests of the consumer versus your rights to conduct your legitimate business. Organisations must consider the rational and reasonable expectations of their customers - down to an individual level, the type of data and processes carried out on behalf of your organisation married up against the rights and interests of said end-consumer. This involves very much identifying the potential for harm inflicted upon the individual in any way - through data leaks, hacking, exposure or other forms of misuse or potential negligence - or in particular going beyond the letter and intent of the contract and exposing the customer to external and 3rd party organisations beyond their initial consent.
The balance has actually shifted very much in favour of the consumer - as following GDPR - every piece of data connected to the processing of their personal details - additional logfiles etc. are under the ownership of the individual - your company / organisation is just temporarily storing their details and data at their behest, and they can at any time issue a ’cease-and-desist’ and demand you return all their data to them, and purge all related records from your own systems.
As far as ’The Right to Erasure’ goes, this does not mean absolutely totally everything - as you would have no way of verifying any future requirements or obligations without at least some sort of record of First Name, Last Name and Email Address. We are looking into ways of anonymising and archiving this within the system - i.e. making it wholly dormant until and if the customer triggers these same details at some point in the future.
There are obviously certain types of services - which fall under broader legal frameworks - such as ’serving the public interest’, and include legalities and liabilities in the areas of documented episodes of misdemeanour, fraud or financial misconduct - say per the services of credit rating agencies. GDPR does not give consumers the right to remove their data from absolutely everything - say government records and officially accredited agencies concerning - Credit Rating, Electoral and National Registries etc. But it certainly gives consumers full control over their own everyday details and data - and if they don’t like how you / your organisation is using or processing their information - they can ask for removal, and report you to the ombudsman if you fail to comply.
We’re still waiting for some further practical examples of particular and typical scenarios, and much will be clearer in December when the UK Government releases its own full take on GDPR.
As a company, we’ve always tried to operate with utmost clarity and transparency, and we will continue to do the same under GDPR. We are after all ALL consumers, and would want to be afforded the maximum consumer protection available and be able to share that with all our clients and their consumers in turn. There is way too much spoofing, identity theft and fraud going on in the world - it is by far the largest slice of crime currently, yet so many of the victims are largely invisible, and it typically hits your pocket rather than your face. Digital fraud is the multi-billion-dollar crimewave that has been growing at exponential rates for years, and GDPR is just one of the many ways that will try to bring it further under control. There is barely a day that goes by without my receiving / witnessing multiple spoof and spam attempts via desktop and mobile - through email, messaging, calls, advertising and apps.
No one said any of this would be easy, but it really is for the good of everyone in the long-term.