The UK’s Information Commissioner’s Office is dismissing misinformation about the EU’s General Data Protection Regulation (GDPR) coming into force next year. In a recent blog post, the second in a series launched on August 9, Information Commissioner Elizabeth Denham seeks to allay concerns among businesses that the only way to process consumers’ personal data in compliance with the GDPR is by obtaining explicit consent. While obtaining consent is one method, there are many other lawful bases.
The GDPR, which comes into effect on May 25, 2018, imposes new obligations on businesses that control or process personal data, and strengthens consumers’ rights to direct the use of their personal data. The regulation will apply not only to organizations operating in the EU, but also extraterritorially to companies that offer goods or services in the region, or monitor the behavior of EU citizens.
The GDPR raises the standard for obtaining consumers’ consent, and directs that consent be granted by “clear, affirmative action. ” “Silence, pre-ticked boxes, or inactivity should not therefore constitute consent. ” While this new standard has created a focus on obtaining consent, Denham emphasizes that it only applies to businesses that are relying on consent as the basis to process personal data.
According to Denham, the focus on consent has “left no room to discuss the other lawful bases organisations can consider using under the new legislation. ” Under the GDPR, there are five other bases available for processing personal data. Specifically, when processing is necessary: (1) for the performance of a contract with the data subject or to take steps to enter into a contract; (2) for compliance with a legal obligation; (3) to protect the vital interests of a data subject or another person; (4) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and (5) for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
Denham acknowledges that organizations will want to know more about what constitutes “legitimate interests” and points them to the guidance already published by the ICO on that topic as well as guidance published by the Article 29 Working Party, a group composed of representatives from all EU Data Protection Authorities, the European Data Protection Supervisor, and the European Commission. Organizations should assess their purpose for processing personal data, and determine which lawful basis the purpose falls under.
If the lawful basis is consent, companies should assess whether their practices comply with the GPDR’s requirements. Although final guidance will not be published until late next year, Denham stresses that companies should not wait to assess compliance and should rely on the ICO’s draft guidance on consent. Denham writes that the draft guidance will not change significantly in its final form and that companies “already have many of the tools” needed to prepare.
Denham hinted that future blog posts in her series on busting myths about the GDPR will address guidance, the burden on business, and breach reporting.
