THE GDPR THING – PROCESSING DATA
Given the flurry of emails we are no doubt all getting that seek ‘opt-in’ consent to receive future emails, we thought a reminder of the various legal authorisations under which personal data can be processed would be useful.
Personal data can be lawfully processed for the following reasons:
1. For the Performance of the Contract
This includes commercial contracts and contracts of employment. It also relates to steps you might take prior to entering a contract – such as when a candidate sends you a CV or application form as part of their desire to be part of a recruitment process.
2. For compliance with a legal obligation
For example, employers must provide employee information to HMRC.
3. In order to protect vital interests of the data subject or other natural person
For example, disclosing name, address, next of kin details and any medical questionnaire completed by an employee to a paramedic in circumstances where an employee is taken ill at work, and an ambulance is called.
4. For the performance of a task carried out in the public interest in the exercise of official authority
This covers public functions and powers that are set out in law or to perform a specific task in the public interest that is set out in law. It is most relevant to public authorities but can apply to any organisation that exercises official authority or carries out tasks in the public interest.
5. For the performance of a legitimate interest
Most commercial organisations will have a marketing plan which will include measures and actions designed to ‘get their name out there’ and thus better enable it to gain sales or win new business. In the professional and technical services sector, where services are provided Business to Business, this may well be the appropriate reason for processing data such as names and e-mail addresses. It would be interesting to see what argument could be advanced that says that such marketing initiatives are not a ‘Legitimate Interest’. To rely on this however, will need some thought and analysis. Carrying out a data audit and a Legitimate Interest Assessment will help you decide if this applies to your processing where it relates to e-mail circulations. A free template for this is available on the ICO website at:
6. With the consent of the Data Subject
This is the ‘catch-all’ authorisation and probably the easy option. If the first 5 don’t work for you then getting specific, informed and explicit consent will. Hence the e-mails we are all receiving. It will be a matter of time before we know just what percentage of those asked for new consent actually go down the ‘YES’ route or just can’t be bothered.
Sentient’s commitments to Safe Personal Data Processing
- The data we hold, relates to our clients, our employees and recipients of our e-mail updates. It is only processed for the performance of our contract or because we have a legitimate interest.
- We have carried out a Data Audit and a Legitimate Interest Impact Assessment to help us make appropriate decisions on personal data processing.
- We keep personal data secure.
- We will never sell-on personal data, or indeed give it away.
- Our employees have had training in GDPR and know their responsibilities concerning personal data processing.
- Our portable electronic equipment (e.g. laptops, memory sticks) have been encrypted.
- All our e-mail updates give the recipient an absolute right to opt-out of receiving further e-mails. This is done automatically.
Without doubt, our management approach to processing personal data will continue to evolve. The final legislation of course is still not out and is still going through the legislative process as we write this…………make of that what you will!