For any company working in Europe or that has clients in Europe, the General Data Protection Regulation sets the limits, guidelines and provisions for processing any of the customer's data. This surely concerns anyone in the communication field as well as anyone looking to provide their customers with any service related messages, offers, etc.
As this particular piece of legislation is rather long, it’s key to start with the most important aspects when building up the communication system and the series of consents and agreements associated.
The principles of data processing
Let’s do a quick review of Article 5, which stipulates the principles of data processing, as this is the starting point for all data processing. You can process data, but you must follow these guidelines:
- Lawfulness - All data needs to be obtained, handled and stored according to law.
- Fairness - Data subjects need to be given usable access to enforce their rights and their rights must be honoured (have to be able to use the right to data access, portability and the right to be forgotten easily.)
- Transparency - All processing needs to be done in an open and defined manner as to leave no doubt to the data subjects how their data is processed (documented clearly.)
- Purpose limitation - Data is only processed for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
- Data minimization - Processing is limited to data that is directly linked to the aforementioned purpose.
- Accuracy - The data is accurate and up to date, and all reasonable steps should be taken to correct inaccurate data or delete it.
- Storage limitation - Data is stored for no longer than is explicitly needed for the aforementioned purposes.
- Integrity and confidentiality - Data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability - The data processor is responsible for and has to show compliance with the aforementioned principles (has to have the processes, rights and solutions defined and documented.)
While this is quite a substantial list, what it means, in a nutshell, is that you should only process data that you need, you must obtain it legally, transfer, handle and store it securely, keep it accurate, and for as long as you legitimately need to. Also, you must grant access to any personal data of a person that wants it. And grant access to the subjects when they want it.
Out of all of these principles, the “purpose limitation” part has people most confused.
We have also explained GDPR and PSD2 in one of our webinars.
What does “purpose limitation” mean?
Do I need to ask consent for everything? Does previous consent still apply? And how do I know if I have a legitimate purpose for processing?
Article 6 of GDPR helps us answer these questions and I’ll break it down to six bases for lawful processing, making it easier to understand.
1. Consensual processing for specific purposes, meaning that the data subject has given you the right to process data for a specific purpose.
The consent given needs to be clear, informed and given in an explicit manner, so you can’t infer consent from silence or inaction (this means no pre-ticked boxes). This is most relevant for marketing, as it signals a switch from an opt-out form to an opt-in form, and this will have a significant impact on newsletters and general marketing communication sign-ups.
Here’s the stickler: If you “gained” consent the old way, like a pre-ticked box, it’s no longer compliant. So, any previous marketing trickery can get you in trouble and you have to get the correct form of consent. And even if you got consent in the right form, you still have to be able to show that you did, in fact, get it in the right form as consent needs to be verifiable.
Though this is a game-changer for marketing, it’s not the only lawful way to process data
2. To perform contractual or service related obligations.
The ways you process data needs to be shown, but you don’t need to define every minuscule step (it’s enough to say you’ll store contact information for billing purposes, not bring out every detail that is needed to do that). For most data processing carried out (besides marketing,) this is the lawful way to process data. From activity logs to contact details to long-term storage, if processing is needed to deliver the service that the client wants, this covers it.
3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
All companies have certain legal obligations when it comes to people using their services. Such as long-term data storage for communication providers to assist in the fight against terrorism, or handing over data to the police to assist in investigations. For these purposes, explicit consent isn’t required, as the authorities still maintain the right to demand access.
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Say you get a car loan and get into an accident, the details of which are forwarded to the loan provider to prove that further payments are impossible, or that they will be delayed. To ensure that no latency fees occur, or any other punitive measures aren’t taken, this data needs to be processed and stored for as long as it’s relevant. The same goes for certain banking details to ensure you don’t lose your retirement savings, even when you don’t use your bank account for 15 years; your data is still stored and processed.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This is the right of the state and its authorities to access and process data when it is deemed legal to do so in the public interest - this one is pretty straightforward and will apply to organisations that deal with the state (like law firms or contractors.)
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This is the vaguest principle of the six, but GDPR recitals 47, 48, 49 and 50 help us clear it up a bit. I suggest you read them to get a better understanding of what they mean. For example, Recital 47 doesn’t mean you can still process data without consent, as it’d defeat the purpose of GDPR.
The GDPR is a framework agreement replacing a document that stood for 23 years. It’s kept vague to help cover future developments in the information-saturated world for at least as long and is designed to give EU citizens and residents control of their personal data. It makes freedom, security and vigilance as the most important aspects of data processing and regulates the procedures accordingly.
While this leads to extended obligations to organisations and a more difficult setting for marketers and salespeople, the aims are noble. As with any regulations, this one is broad in scope, there will still be confusion for years to come and clarity will be obtained by legal precedents.
There are specific steps you can and should take though that go a long way in reaching compliance in addition to keeping the security of your systems at the highest available standard and keeping an eye on your systems on a daily basis.