And witness the start of the Agreement Economy.
Let’s face it, of the variety of legal bases for personal data collection and use included in the GDPR, few would opt for consent. Consent is flickery. Needing to prove valid explicit consent is an uphill battle. Why even bother? Especially as there are other vastly more attractive means readily available.
All organizations handling or processing personal data on EU residents will soon be required to show proof of their compliance with a new privacy regulation. Many compliance professionals — and indeed business professionals alike — are busy mapping, documenting, and ultimately adjusting their operational processes to the new compliance regime.
As part of these adjustments, making sense of the new regulatory jargon and its practical applicability to various common data processing scenarios ranks high. Prior to the GDPR however, these were not things most had top-of-mind, not even with many now proclaiming Privacy by Design retroactively.
Alternatives to consent
Whilst lawyers and consultants have enjoyed a windfall from the scaled confusion and anxiety brought about by the GDPR, the associated fear mongering is not a constructive contribution to the debate. We wanted to share some very practical, even pragmatic, lessons at no cost. These we’ve learned from working hands-on with many medium and large enterprise customers dealing in sensitive personal information, as well as with customers where sensitivity of subject data is a much lesser concern — such as, for example, most business processes performed by media companies, and those within marketing functions across all others alike.
In a nutshell, Consent remains a lawful basis for processing personal data. However, under the GDPR, valid consent becomes significantly harder to obtain and prove. Consequently, why not explore using Legitimate interest, Performance of Contract, or Legal Obligation as basis for data processing instead? Two easy-to-identity-with examples below.
So next time you consult with your legal GDPR advisor, why not ask them about alternatives to consent for your business’ data processing?
1. Legitimate Interests
By now, most HR departments have realised that continuing to rely on Consent as legal basis for employee data processing likely leads to GDPR violation. Consequently, HR departments are looking for another basis for processing, such Legitimate Interests.
HR departments certainly have legitimate interest in being able to provide employees with healthcare, recreational and other benefits, expense reimbursements, etc. These activities are in accordance with local laws and compliance requirements preceding and extending the GDPR. So whilst the legal basis for salary payment related data processing is on Performance of Contract, with data processing for tax withholding based on Legal Obligation, all other HR data processing needs have a legal basis of Legitimate Interest.
This view is echoed by the UK’s ICO alike:
It follows that if for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data.
As the GDPR states:
Rec.47, 48; Art.6(1)(f)
Processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects which require protection, particularly where the data subject is a child.
2. Performance of Contract
Whereas being behaviorally tracked, profiled, and segmented for the purposes of programmatic advertising (e.g. retargeting), site personalization (including on-site promotions), and marketing automation (connecting the dots between online behavior and personalized email marketing) have historically relied on the vague use of Consent, the future of such ambiguity around the validity and nature of explicitness of consent causes plenty of grey hair for DPOs and other GDPR practitioners.
Whilst Consent in accordance with the GDPR certainly is near-impossible to obtain for these commonplace digital marketing uses, the continuity of these business processes themselves is far more safe and well.
Progressive publishers and consumer marketers alike are moving away from Consent, and embracing Performance of Contract in their place. For example, when previously a publisher requested consent for behavioral advertising execution on their site in exchange for free-of-charge access to their content, such a mutual value exchange can equally well be constructed as a Service Agreement by and between the data subject (site visitor) and the publisher. Governing the data subject’s rights and obligations to the use of her personal data under a Service Agreement is far more manageable, better structured, and frankly more transparent to both parties.
A Service Agreement constitutes a legal contract, which allows for digital marketing data processing to use Performance of Contract as their legal basis.
Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.
Learn more about Ardoq’s GDPR compliance facilitation software.
Ardoq is an Enterprise Intelligence Graph for Compliance, Governance, and Transformation. We enable businesses and organizations to understand how their people, processes, and data interconnect. Enterprises master digitalization using Ardoq.
Realise Your Digital Roadmap. For information, visit ardoq.com.
Disclaimer: Ardoq does not guarantee nor assume any responsibility for your compliance with any regulations. Any assessment of your level of compliance is based on the data you provide.