Let’s do a quick review of Article 5, which stipulates the principles of data processing, before moving forward. You can process data, but you must follow these guidelines:
- Lawfulness - All data needs to be obtained, handled and stored according to law.
- Fairness - Data subjects need to be given usable access to enforce their rights and their rights must be honored (have to be able to use the right to data access, portability and the right to be forgotten easily.)
- Transparency - All processing needs to be done in an open and defined manner as to leave no doubt to the data subjects how their data is processed (documented clearly.)
- Purpose limitation - Data is only processed for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
- Data minimization - Processing is limited to data that is directly linked to the aforementioned purpose.
- Accuracy - The data is accurate and up to date, and all reasonable steps should be taken to correct inaccurate data or delete it.
- Storage limitation - Data is stored for no longer than is explicitly needed for the aforementioned purposes.
- Integrity and confidentiality - Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability - The data processor is responsible for and has to show compliance with the aforementioned principles (has to have the processes, rights and solutions defined and documented.)
While this is quite a substantial list, what it mean in a nutshell is that you should only process data that you need, you must obtain it legally, transfer, handle and store it securely, keep it accurate, and for as long as you legitimately need to. Also, you must grant access to any personal data of a person that wants it. And grant access to the subjects when they want it.
Out of all of these principles, the “purpose limitation” part has people most confused.
Do I need to ask consent for everything? Does previous consent still apply? And how do I know if I have a legitimate purpose for processing?
Article 6 of GDPR helps us answer these questions and I’ll break it down to six bases for lawful processing, making it easier to understand.
1. Consensual processing for specific purposes, meaning that the data subject has given you the right to process data for a specific purpose.
The consent given needs to be clear, informed and given in an explicit manner, so you can’t infer consent from silence or inaction (this means no pre-ticked boxes). This is most relevant for marketing, as it signals a switch from an opt-out form to an opt-in form, and this will have a significant impact on newsletters and general marketing communication sign-ups.
Here’s the stickler: If you “gained” consent the old way, like a pre-ticked box, it’s no longer compliant. So any previous marketing trickery can get you in trouble and you have to get the correct form of consent. And even if you got consent in the right form, you still have to be able to show that you did, in fact, get it in the right form as consent needs to be verifiable.
Though this is a game-changer for marketing, it’s not the only lawful way to process data
2. To perform contractual or service related obligations.
The ways you process data needs to be shown, but you don’t need to define every miniscule step (it’s enough to say you’ll store contact information for billing purposes, not bring out every detail that is needed to do that). For most data processing carried out (besides marketing,) this is the lawful way to process data. From activity logs to contact details to long-term storage, if processing is needed to deliver the service that the client wants, this covers it.
3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
All companies have certain legal obligations when it comes to people using their services. Such as long-term data storage for communication providers to assist in the fight against terrorism, or handing over data to the police to assist in investigations. For these purposes, explicit consent isn’t required, as the authorities still maintain the right to demand access.
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Say you get a car loan and get into an accident, the details of which are forwarded to the loan provider to prove that further payments are impossible, or that they will be delayed. To ensure that no latency fees occur, or any other punitive measures aren’t taken, this data needs to be processed and stored for as long as it’s relevant. The same goes for certain banking details to ensure you don’t lose you retirement savings, even when you don’t use your bank account for 15 years; your data is still stored and processed.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This is the right of the state and its authorities to access and process data when it is deemed legal to do so in the public interest --this one is pretty straightforward and will apply to organisations that deal with the state (like law firms or contractors.)
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This is the most vague principle of the six, but GDPR recitals 47-50 (see below) help us clear it up a bit. I suggest you read them to get a better understanding of what they mean. For example, Recital 47 doesn’t mean you can still process data without consent, as it’d defeat the purpose of GDPR.
The GDPR is a framework agreement replacing a document that stood for 23 years. It’s kept vague to help cover future developments in the information saturated world for at least as long, and is designed to give EU citizens and residents control of their personal data.
While this leads to extended obligations to organisations, and a more difficult setting for marketers and salespeople, the aims are noble. As with any regulations, this one is broad in scope, there will still be confusion for years to come and clarity will be obtained by legal precedents.
I hope this at least helps clear a few things up. I’ll have more for you over the coming weeks.