How to get prepared for the GDPR
1 like674 views
The document outlines the legal bases for processing personal data under GDPR, emphasizing the importance of consent and legitimate interest for marketing purposes. It highlights the need for businesses to ensure compliance through proper data handling, including segmentation and profiling, without solely relying on consent. Additionally, it encourages organizations to conduct data audits and consult experts if they face challenges with current regulations.
How to get prepared for the GDPR
- 1. INSERT INFORMATION CLASSIFICATION HERE General Data Channels UX / CRO Consent or Legitimate Interest? The big question for marketing. Public
- 2. INSERT INFORMATION CLASSIFICATION HERE Lawful basis To process personal data under GDPR, you require a legal basis: • Consent • To perform a contract • Legal compliance • Protection of vital interests of a person • Public interest or official authority And the big one for marketing! 6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” Rec 47 Public
- 3. INSERT INFORMATION CLASSIFICATION HERE GDPR , not E-privacy (PECR) Public GDPR is not about permission to send electronic marketing (that’s another law)! GDPR is about all of the other processing you do behind the scenes as well: • Segmentation • Targeting • Profiling • Data matching • Screening Example; Electronic marketing needs to be compliant with GDPR and Privacy and Electronic Communication Regulations. Just because you’ve got a tick box for electronic marketing, doesn’t make you GDPR ready.
- 4. INSERT INFORMATION CLASSIFICATION HERE Consent Public “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” ICO “The GDPR sets a high standard for consent.” “Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate”. You will need to be specific about any use you will be putting the data to.
- 5. INSERT INFORMATION CLASSIFICATION HERE Legitimate Interest (this is the way many businesses have been doing it since 1998) Public • Is it the most appropriate lawful basis for processing? • Explain how or why we need an individual’s personal data • Use a layered privacy notice/policy • Give individuals the option to refuse marketing • This right is explicitly stated, prominently displayed and it’s easy to exercise that right • Collect the minimum data necessary and delete records after use • Ensure you have a valid reason to process an individual’s personal data using your legal legitimate interests The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. Rec 47
- 6. INSERT INFORMATION CLASSIFICATION HERE The Balancing Test Public Marketing is a legitimate interest of the data controller, but: • Is the processing necessary for the direct marketing? • Is any third party processing necessary for the purpose of direct marketing? • Is their another way of achieving your legitimate interest? • Would the individual reasonably expect this processing? • Is the processing relevant to your relationship with the individual? • Are you processing the minimum personal data required to meet your needs? • Is this processing likely to harm or disadvantage the individual (what type of marketing are you doing??!!!)
- 7. And finally… Public Don't wait for further guidance, work with what you have. This law won’t go away, act now while the current regulations are in place. If whatever route you have chosen becomes damaging to your business or seems impossible, ask advice from the ICO or DMA, a better route may be possible. Get someone in your organisation trained to Data Protection practitioner level. The first step is the data audit, if you haven’t started yet, start one tomorrow. Good Luck!