GDPR updated guidance
In this blog, Jonathan Wilby of our Litigation Department, updates us on the upcoming General Data Protection Regulations (GDPR).
In my blog last summer Data Protection Changes I commented, with brilliant insight into how the passage of time works, that May 2018 (GDPR implementation 25 May) would soon be upon us and, indeed, that is proving to be the case! I did also recommend the ICO website to keep up-to-date with their regularly updated guidance. Specific guidance is now available about:
- Data protection officers
- Data portability
- Breach notification
- Contractual obligation/complying with a legal obligation and protecting vital interests as bases for lawful process
The emphasis in all of this guidance is very much that it is for businesses to work out for themselves how they can best comply with the regulations and to document their reasoning to justify all data processing. The message from the ICO is that they will expect businesses to have carried out their data audit/impact assessments and to be actively monitoring compliance when the regulations come into force on 25 May.
One aspect of lawful processing that has not yet been covered by specific guidance is the legitimate interests ground. What is clear however is that this basis for lawful processing is being promoted as a potentially more appropriate basis for compliance than explicit consent which can be difficult to obtain in practice. The Information Commissioner Elizabeth Denham recently posted a blog on her website in which she emphasised that consent is only required where it is relied upon as the basis for the lawful processing and other grounds might be available which mean that consent is not in fact necessary. Specifically, the ICO website says "if consent is too difficult, look at whether another lawful basis is more appropriate". Businesses are entitled to take "cost of implementation" & "principle of proportionality" into account when planning for compliance.
For many businesses the grounds of "legitimate interests" will readily apply: why else would businesses be holding and using standard personal data other than to further their legitimate business interests? It is however potentially nuanced and, on the face of it, it carries risks of uncertainty which means that it has tended to be overlooked as a mainstream ground for compliance.
The Regulations require that the data processing must be "necessary for the purposes of the legitimate interests of the data controller or a 3rd party except where those interests are overridden by the interests, rights or freedoms of the data subject". In most instances, the data subject rights in question will be the right to privacy. Therefore, provided the use of the personal data is not intrusive, excessive or potentially offensive, it is unlikely to carry any real risk of breaching an individual's personal rights.
Therefore, given that the information Commissioner has said that GDPR will not prevent any business from being able to operate in a responsibly commercial way, it is expected that the promised forthcoming guidance on legitimate interests will clarify how business can rely on their own reasoned judgement to support this as a ground for most normal business operations. The Information Commissioner herself has said "you know your organisation best and should be able to identify your purposes for processing personal information".
Therefore, a purposive approach to compliance with GDPR should not restrict legitimate business interests and will enable the business to carry on in a compliant way. Obviously special considerations apply to sensitive personal data or to large scale operations like data profiling. But as far as normal business operations are concerned it is the bad practices that undermine the UK public's trust and confidence in what happens to their personal data which will be hindered and most people will probably agree, about time too.
Keep up to date with the ICO guidance on their website (and subscribe to their Newsletters): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/whats-new/