With the General Data Protection Regulation (GDPR) enforcement date coming on May 25th 2018, businesses are assessing the gap between how they operate now and how they can do so while being accountable under the GDPR. The process of achieving accountability is multi-faceted and involves all tiers of the business from director-level through to department representatives and individual employees having the necessary governance and systems in place to enable the business to work towards accountability.
It can begin with a rigorous examination of the personal identifiable information that is being collected by the business—the basis and purpose for which it is being collected, whether the business is informing the individuals of the basis and purposes for processing, being fully transparent in how they intend to use the personal information and how the individuals from which they collect it can exercise their rights as conferred under the GDPR. Having the appropriate record-keeping in place to able to demonstrate accountability is a key factor in meeting the obligations of the Data Controller (the business).
What is your lawful basis?
If you have a database of individuals’ personal information that you process you need to consider what is the lawful basis for you carrying out that processing.
For most businesses, the lawful basis for processing is likely to fall under one of the following:
- Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Legitimate Interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
With GDPR approaching in the rear-view mirror and businesses realising they need to be on a firm footing with how they are processing personal information, it can be tempting to see legitimate interest as the basis for which they can claim to continue processing the information that they currently hold. I would caution a word of warning on this line of thinking though. Legitimate interest is not a carte blanche to process as you please based on your interpretation that it is in your interest as a company or in the individuals interest themselves.
It is important to take note of the qualification of legitimate interest as stipulated in Article 6 (1f) of the GDPR where it states that legitimate “interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Legitimate interest is not so clear-cut as it may seem on the face of it. The legitimate interests of the business need to be balanced against the rights and interests of the individual.
You need to take a hard look at how you originally collected the information that you are processing. Did you offer a form of consent at the time? If so, consent is the basis that you intended on processing the information under. Is that consent GDPR compliant? – specifically, was the individual informed of the specific purposes that their information would be used and were they able to object to those purposes if they were not required for you to carry out the core function for which you were processing their information?
Legitimate Interest is not a band-aid
"The lawful basis cannot be modified in the course of processing. Hence, the controller cannot swap between lawful bases. For example, it is not allowed to retrospectively utilise the legitimate interest basis in order to justify processing, where problems have been encountered with the validity of consent. Therefore, under the GDPR, controllers that ask for a data subject’s consent to the use of personal data shall in principle not be able to rely on the other lawful bases in Article 6 as a “back-up”, either when they cannot demonstrate that GDPR-compliant consent has been given by a data subject or if valid consent is subsequently withdrawn." - WP29 Consent Guidelines, November 2017
An industry example – meet Galaxy Recruitment
An example I’ll use to illustrate the problem that lawful basis can pose is in that of the recruitment industry, as it’s an area that I’m familiar with in helping agencies with their data protection challenges. Let’s call this fictional agency Galaxy Recruitment.
Galaxy Recruitment hold and process individuals’ personal information for many purposes. Among others they:
- Match their contacts with new job opportunities as they come in
- Send their contacts regular updates of new jobs
- Send their contacts career advice and relevant industry news to nurture their contacts
- Have invested in systems to send job alerts to their contacts when a job with skills comes up that match their contacts’ profile
As they grew their contact database over the years they collected personal information from various sources—some from potential candidates who applied for jobs, some from direct sourcing of the individuals by the agency itself.
In some cases, Galaxy Recruitment has consent from individuals, but it was taken in quite a general context when individuals agreed to their terms and conditions. The consent was not unbundled for the various purposes that Galaxy intended to use their information for.
With GDPR coming down the pike, they want to assess if they are going to be accountable under the regulation to continue processing data as they have been. They considered that as it is not possible for them to be sure of the conditions under which they have collected personal information over the years for all their contacts, under what lawful basis could they continue to process it now.
There are three potential basis that could fit under differing conditions for their business:
- Legitimate Interest
- Contractual Necessity
As they collected consent in a bundled (their T&C’s) manner, and they don’t hold it for all of their contacts for the varying purposes which they process their information, they are not able to claim that they currently have valid consent under the GDPR.
Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
When considering legitimate interest, it is important to balance the company’s legitimate interest against the rights and interests of the individual. The context in which the personal information was collected would factor in to the balance test when considering whether legitimate interest would be a lawful basis for processing of the personal information. The individual would need to have a reasonable expectation that, in the context of how the agency obtained their personal information, it would be processed for the purposes for which they intend to use it. If the agency wishes to use the personal information beyond the original purpose they should gain consent for that subsequent processing purpose or have another lawful basis for doing so.
In Galaxy Recruitment’s case, it is reasonable for them to say that they have a legitimate interest in processing a candidate’s information as part of the sourcing process. If they found that information in the context that the individual could have a reasonable expectation that they would collect it for those purposes (e.g. a public website that has a recruitment context like LinkedIn). This, however, is only the first step. As part of their initial outreach to potential candidates, they should provide them with a way of giving them affirmative consent to continue processing their information. If the potential candidate does not give this affirmative consent, Galaxy Recruitment should stop processing their information and remove it. If they explicitly object to processing their information for the purposes that Galaxy Recruitment intend, using the mechanism that is provided to them, objection should be recorded so that it prevents further unintended processing of their information in future by other company employees.
If the agency has a contract to perform a service for the individual, this is a lawful basis for processing their information. It cannot, however, be taken as grounds for processing their information for subsequent differing purposes. If the agency is processing the information beyond the original purpose it was collected and entered into contract under, they should gain consent or have another lawful basis for doing so. The necessity for performance of a contract is not a lawful basis for processing special categories of data.
Therein lies the rub
Galaxy Recruitment are in a bit of a bind because the personal information they have collected over the years, with the best of intentions on their part to build a network of qualified human talent that they can help along their career path, has been exposed to feature creep. They have varying degrees of certainty for how the information was sourced and the record-keeping has been inconsistent at best in terms of being able to demonstrate the lawful basis on which they collected it at the time.
As they have not been capturing or maintaining the original grounds for processing the personal information, the best course forward for them is to place all their contacts on an equal footing by choosing a lawful basis that they intend to process under going forward and becoming demonstrably accountable under that lawful basis.
For those contacts where they have contracts in place, they would need to demonstrate that for all the purposes that they process personal information that are not required to deliver on the contract itself, that they have another valid lawful basis for this processing.
Consent is the gold standard where there is uncertainty in applying another lawful basis. It is on this basis that Galaxy Recruitment can best be demonstrably accountable for the individual purposes that they wish to process personal information.
Should you decide that you need to place your database of individuals on an even footing as to how their information is processed I’ll suggest a blueprint that you can follow. This is not a wave-a-magic-wand, press a few buttons, send a few emails and it’s sorted solution. It will take consideration and investment on your part, for how to prepare and implement it for your business. It is a combination of technical and organisation measures that will put you on a path towards accountability.
Review the data you are collecting
Review the data that you are currently collecting, determine if you need all the various classes of personal information that have been recording for “in case I need it” scenarios. If you don’t need it for the purposes you are currently processing, remove it and stop collecting that type of information going forward.
Start processing and recording on a lawful basis
This is certainly a User Experience (UX) challenge, and the guidelines suggest that you use a layered approach to display this information, allowing the individual to drill down and learn more about the processing as they see fit. Have a system in place for recording their consent and the terms under which it was given.
If consent is to be given by electronic means, the request must be clear and concise. Layered and granular information can be an appropriate way to deal with the two-fold obligation of being precise and complete on the one hand and understandable on the other hand. – WP29 Consent Guidelines Nov 2017.
You should put in place a versioning process for keeping track the processing terms that people are consenting to, as they change over time. Being able to demonstrate accountability by showing the original terms that were consented to is important.
Sometimes you will be using legitimate interest to initially contact an individual (as in the case of a recruitment agency sourcing contact information on a recruitment-based website) and will need to gain consent to process that person’s information for purposes beyond that initial contact. I would advise having a system in place that allows your employees to send an email/SMS with a link to the purposes for processing that you may have explained to your new contact on the phone or other channel, capture their consent along with a version identifier for the terms that they agreed to. It is important that you capture consent for each specific purpose that you wish to process their information.
Provide a preference management interface
GDPR requires that you enable numerous rights for the individuals whose personal information you hold. Among the rights that lend themselves to being provided via a management portal are:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
As part of your consent initiative, having a preference portal where individuals are able to manage their consent for the specific purposes that you process their information is an ideal way to enable their rights under GDPR. An example of the specific consents that people would manage for our Galaxy Recruitment example could be:
- Consent to send you our Newsletter, offering valuable career insights and industry news.
- Consent to send you job alerts
- Consent to match you with jobs that suit your skills
Gain consent or inform your contacts of your determined other lawful basis
If consent is the lawful basis that you have determined to carry out your processing, plan a strategy for reaching out to your contacts, inform them of the purpose of each of the processing operations for which consent in being sought as well as:
- the controller’s identity
- what (type of) data will be collected and used
- the existence of the right to withdraw consent
- information about the use of the data for decisions based solely on automated processing, including profiling, in accordance with Article 22 (2)
- if the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards (Article 49 (1a)).
It is crucial to remember that you need to gain consent for each processing purpose.
Reconnect with your audience
I’d suggest that before the GDPR comes into force from May 25th 2018, it might be worth warming up your contacts to your brand. You could do that by segmenting your contacts between those who have been in touch with you recently (e.g. applied for a job recently, received communications from you) and those who may not have heard from you in a while. Craft your message to each of these segments appropriately.
For those that you have not been in touch with for a while, send out relevant communications that they are likely to find of value. An engaged audience is more likely to want to stay engaged when it comes to asking them to consent for your various purposes for future processing. Be sure to include an unsubscribe as part of these communications.
Renew & Record
Before May 25th arrives, initiate your Consent Initiative project, to put all your contacts on an equal footing. Enable your contacts to manage the individual purposes that you wish to process their information. Inform them of their rights and disclose the information required to meet your transparency obligations when gaining consent. Record their responses so as to be accountable. It would be wise to have an automated system in place to follow up a limited number of times if you do not hear back from them within a defined period. Have a cut-off date in place. Where you have not gained consent from contacts by your cut-off date, you should delete their data.
It will take some planning, both process-based and technical to put this project in place so I would look at getting it kicked off as soon as possible. We are on the final stretch towards the GDPR being enforced and business as usual will just not cut it.
A real-world example that almost got it right
Some agencies have recognised that consent poses a problem for the information that they currently store and are being proactive about rectifying it. I recently received an email from a recruiter explaining GDPR and why they’d like my consent to continue holding and processing my information.
This effort stumbled at the final hurdle to meet their GDPR obligations as when I clicked through to their site they required me to signal my acceptance of multiple non-related ways that they process my personal information through a single acceptance mechanism.
What they requested consent for in an all-or-nothing fashion:
- to provide recruitment and related services
- to find suitable job opportunities for you
- to apply for jobs on your behalf
- to allow you to submit your CV, apply for specific jobs or to subscribe to job alerts
- to market recruitment services to you
- to improve our customer service
- to contact you on occasion with information with career opportunities
There was no way to object to a specific purpose. I could either avail of their services in totality and agree to all purposes that they would like to process my information (as you can see some of them are quite general and others conflated with multiple non-related purposes), or not agree and not be able to avail of any of their services. I appreciated the effort, but it ultimately did not meet the test of GDPR accountability.
If you currently hold personal information for which you did not gain consent and can’t claim another lawful basis for holding and processing it then you should be considering if (like Wetherspoons), you should delete it all (I don’t recommend the nuclear option!) or run a Consent Initiative project to reach out your contacts and gain consent for the purposes that you hold and process their data. You should be doing this before the 25th May, and ideally use this period to warm them up to your brand if they haven’t heard from you in a while, ultimately asking for consent before the deadline.
The legal bit: I am not a solicitor and as such, what I say in this post should not be taken as legal advice.