THE GDPR THING – PROCESSING DATA
Given the flurry of emails we are no doubt all getting that seek ‘opt-in’ consent to receive future emails, we thought a reminder of the various legal authorisations under which personal data can be processed would be useful.
Personal data can be lawfully processed for teh following reasons:
This includes commercial contracts and contracts of employment. It also relates to steps you might take prior to entering a contract – such as when a candidate sends you a CV or application form as part of their desire to be part of a recruitment process.
For example, employers must provide employee information to HMRC.
For example, disclosing name, address, next of kin details and any medical questionnaire completed by an employee to a paramedic in circumstances where an employee is taken ill at work, and an ambulance is called.
This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law. It is most relevant to public authorities but can apply to any organisation that exercises official authority or carries out tasks in the public interest.
Most commercial organisations will have a marketing plan which will include measures and actions designed to ‘get their name out there’ and thus better enable it to gain sales or win new business. In the professional and technical services sector, where services are provided Business to Business, this may well be the appropriate reason for processing data such as names and e-mail addresses. It would be interesting to see what argument could be advanced that says that such marketing initiatives are not a ‘Legitimate Interest’. To rely on this however, will need some thought and analysis. Carrying out a data audit and a Legitimate Interest Assessment will help you decide if this applies to your processing where it relates to e-mail circulations. A free template for this is available on the ICO website at:
This is the ‘catch-all’ authorisation and probably the easy option. If the first 5 don’t work for you then getting specific, informed and explicit consent will. Hence the e-mails we are all receiving. It will be a matter of time before we know just what percentage of those asked for new consent actually go down the ‘YES’ route or just can’t be bothered.
Sentient’s commitments to Safe Personal Data Processing
Without doubt, our management approach to processing personal data will continue to evolve. The final legislation of course is still not out and is still going through the legislative process as we write this………….make of that what you will!