Member Since: 17th Apr 2018
Operations Manager with FibreCRM
Experienced business professional with 25 years experience of end-to-end leadership and management in sectors such as Food Manufacturing, Business & Training Support, Information Technology and Software Development.
Skilled in GDPR Consultation, Cyber and Information Security, Conflict Negotiation, Business Planning, Coaching, Change Management, B2B and B2C support.
BSC Certificate in Information Security Management, Certified GDPR Practitioner, Project Manager, Data Privacy Lead and Business Analyst.
Senior Consultant Pulse Cyber Security
26th Jun 2020
Really good article, interesting however that the focus is on the £18m litigation claim, as opposed to the potential/likely fine from the ICO which could (by rights, under the GDPR) exceed £1bn - based on EasyJet`s annual turnover.
There is more risk to accounting firms (in terms of fines value, reputation damage) from ICO action than there is from legal claims - so this will be a test case very similar in scale to how Ireland`s DPC is under pressure to act this summer (Facebook and Twitter both face DPC fines).
11th May 2018
If the data subject is an existing client, it is safe to suggest that there would be a legitimate interest and that can be applied as a lawful basis for processing the data. Remember, there still needs to be an option to "Opt Out" when relying on legitimate interest.
17th Apr 2018
An interesting article with some solid content, however the "need for consent" is consistently misinterpreted in the media - and this is another example. In addition, not every organisation will need to appoint a DPO...
Legitimate Interest or Consent?
The absolute need to gain Consent (and to apply that as the only possible lawful basis, through which personal data can be processed) is the greatest GDPR myth of all.
Even with less than 6 weeks to go to May 25th, this remains the case – and many accountancy practices remain focused (and panicked) on identifying how to go about gaining Consent. In fact, Legitimate Interest would be a perfectly valid lawful basis in many instances, and Consent does not need to be obtained.
As Elizabeth Denham (Information Commissioner) herself has quoted, “Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.”.
Unfortunately this particular article falls into the same trap, and Legitimate Interest is again overlooked as a valid lawful basis for the processing of personal data.
In general the accuracy of information around GDPR via social media, blogs and articles is mixed at best, so I would urge anyone with any concerns or questions about their compliance journey – to make the ICO website a familiar port of call.
Legitimate Interest or Consent? Well, firstly we must consider the nature of the data subject and the processing of the personal data. Is it B2B or B2C? The difference is significant within the GDPR.
B2B (Business to Business): If your product or service is of relevance to the recipient professionally, then you can market to them without opt-in consent for particular channels, like email and text
However, an opt-out option must be used. This applies only when marketing to corporate entities; limited companies, LLPs, partnerships in Scotland and government departments. Legitimate Interest is a valid lawful basis, as long as a 14 point LIA is conducted for each data subject and that a 3-point balancing test is carried out. The key message being the need to ensure (in every instance) that the rights, freedoms and interests of the data subject are not outweighed by those of the data controller. In addition it is essential to always provide a clear, transparent and easy to use “Opt-Out” option for the data subject, when applying Legitimate Interest as your lawful basis.
B2C (Business to Consumer): Opt-in consent is required with all the consent rules applying. Once marketers have received a subject’s consent to process their data, they may use other personal data such as the subject’s purchase history or location to tailor their marketing as long as they can prove it’s of legitimate interest to the subject. This applies when marketing to sole traders or partnerships.
This is further reinforced by the Direct Marketing Association (DMA), who have clearly stated that B2B marketing activities can apply legitimate interest as the legal basis for electronic marketing, because PECR does not apply.
Data Protection Officers
A second and significant inaccuracy in the article is the suggestion that every practice will need to appoint a Data Protection Officer (DPO). Not so, and it’s not that straightforward.
Under Article 37 of the GDPR, there are 3 scenarios where the appointment of a DPO by a controller or processor is mandatory:
1. The processing is carried out by a Public Authority
2. The core activities of the controller or processor consist of processing operations which require “regular and systematic processing of data subjects on a large scale” or
3. The core activities of the controller or processor consist of processing on a “large scale of sensitive data “(Article 9) or data relating to “criminal convictions and/or offences” (Article 10).
The ‘Guidelines on Data Protection Officers’ published by the Article 29 Working Party (“WP29”) provide clarity on requirements contained in Articles 37, 38 and 39 of the GDPR. Understanding whether or not an organisation needs to appoint a DPO, depends on the scale/scope of the processing operations - and whether they fall within scope of Article 37. If you are unsure whether your organisation needs to appoint a DPO, simply ask the ICO or do some reading of Article 29.
If an organisation carries out the type of processing activities above (and/or is a public authority), then it will be required to appoint a DPO under the GDPR – be it external or internal.
It is essential to note that if an organisation does not meet the requirements in the GDPR (instead, voluntarily deciding to appoint a DPO) then the same requirements that apply to mandatory DPOs will still apply.
Importantly, if an organisation decide not to appoint a DPO, the WP29 recommends documenting the reasons.
Hopefully this is helpful to anyone worried (or in doubt) about Consent and/or Legitimate Interest, and whether you need to appoint a DPO. I would be delighted to discuss any of this in more depth, either via this thread or through direct message.