Data Protection

GDPR two years on: justifying the use of data

Written by Andy Bridges, Data Quality and Governance Manager at REaD Group.

It’s been two years since the implementation of the GDPR and we always knew it was going to be a journey, not a destination. From the long months of panic felt by many organisations pre-implementation, many have succeeded in getting their house in order since. There was a lot of coverage and information for consumers in 2018, but since then, the only time you tend to hear about GDPR is when a big fine is handed out. Brands have made huge progress – but there’s always more to be done. 

From recent conversations held with clients, some are still unclear about the lawfulness of processing data (Article 6), and what they should be doing to justify the use of data. It is worth pointing out there is no hierarchy on which basis is chosen, but for any data processing a lawful basis must be chosen and justified. This situation has been exacerbated by the global pandemic, as companies increase their communications with customers but are more aware than ever of communicating responsibly, legally and with care during these difficult times. So how should companies ensure their approach to processing data is GDPR-compliant?

Choosing the best lawful basis to use
While the definitions of GDPR are explicit, there are no specific directives on how to apply them when collecting, processing, storing and using data. These daily decisions are the responsibility of the marketer processing the data, so marketers must know how to apply the regulations to their activities while being able to balance them with their business objectives and KPIs. 

It’s no surprise that the finer points of the GDPR remain a challenge to many. In particular, the lawfulness of processing data (Article 6), especially consent and legitimate interest, are the most difficult to get to grips with. As a marketer, it’s imperative to assess what lawful basis can be used, which is the most appropriate when processing data for marketing processes, and the impact this will have on their marketing activities. 

Doing due diligence
There are six legal bases for processing personal data. Legitimate interest, based on the ICO’s definitions, is the most flexible and can therefore be applied to many different situations. It is generally the most appropriate basis to use when processing data is of a clear benefit to you or others, where there is limited privacy impact on the individual, or where an individual would reasonably expect their data to be used in that way. The balance of fundamental rights is of equal measure and transparency is crucial when making these decisions. Therefore, due diligence here is crucial.

According to the GDPR, direct marketing may be considered a legitimate interest in recital 47, albeit upon the appropriate and thorough application of a balancing test. By balancing the business and marketing objectives with the rights of the individual – and a good dose of common sense – and documenting it in a professional and trackable manner, marketers can use this basis for marketing with more confidence. 

Applying a balancing test to a legitimate interest also applies to prospect data and data sourced from third parties as well as first party data. There is nothing in the GDPR that prohibits the use of third party data, provided that it is collected and processed in accordance with the data protection principles and regulatory guidance.

When it comes to consent, the ICO says: “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”

This means that, in a number of cases, consent may not be required. However, it is required in the use of electronic marketing (namely email). This is where GDPR and the Privacy & Electronic Communication Regulation (PECR) dovetail, meaning that email marketing requires consent and the requirements for consent are set out in the PECR. 

Trust is paramount
Building and maintaining trust and transparency with consumers is at the heart of the GDPR: applying rigour and common sense to balancing commercial interests with consumer rights and testing that decision to ensure it is the right approach.

The concept of privacy by design and ‘responsible marketing’ requires a cultural shift to achieve and maintain. Being genuinely GDPR-compliant remains a work in progress, but it can only be a good thing as it helps to implement alignment, accountability and education across marketing, IT, legal and compliance departments. 

To watch our Last Thursday in Privacy webinar “GDPR (2 Years On): What’s Changed and What You Need to Know”, click here