Data Governance

Understanding the Lawful Bases for Processing Data

By Andy Bridges, Data Quality and Governance Manager at REaD Group.

We are now well over 12 months into the enforcement of GDPR and marketers are still wrestling with nuances of the regulations. Confusion around the lawfulness of processing (Article 6), namely consent and legitimate interest, remains: the most common questions being around what lawful basis can be used, which is the most appropriate when processing data for marketing processes, and the impact this has on direct marketing, advertising etc.  

While GDPR is principals-based, the day-to-day decisions are left with the people who are processing the data. And although the definitions are explicit, it doesn’t tell you how to apply them. Marketeers have to know how to make the decision and justify it, but they are still battling with nuances and fear of contravening regulations where not explicit.

What are the lawful bases for processing data and who should marketeers work with to ensure their data is transparent, compliant and responsible? And how do they align their legal, compliance, governance, IT and marketing teams in order to meet the new data protection regulation and educate them on how to use and process data?

GDPR twelve months on

In the run up to May 2018, enforcement of the GDPR was both high profile and high priority, with a plethora of reports, papers, GDPR specialists and lawyers giving detailed (and in some instances) contradictory advice. Many of these also carried the scare tactic of regulatory fines running into the millions.

While some of the panic and misinformation has now died down, UK businesses are still battling to be GDPR ready. They are unlikely to be compliant, based on the many interpretations of articles and recitals of the GDPR (according to recent research*, over 50% off companies say they aren’t), as marketers wrestle with nuances of the regulations and how to apply them for marketing purposes.

The root of much of the confusion is that the GDPR is a principals-based regulation and while the definitions are fairly explicit, it doesn’t specifically set out a routine of how to apply them in the day-to-day decision-making around data collection, processing, storage, and how it can be used once collected.

We are entering a phase where marketers have to be more aligned with data protection law and have to know how to apply the regulations to their activities – balancing their business objectives and KPIs with the risk of contravening the regulations where they are not explicit. The GDPR puts a lot more responsibility and accountability onto Data Controllers and Processors to make decisions about why they are processing personal data, and they must be able to record processing activities and evidence the rationale and legal basis for those decisions.

I talk to clients every day – experienced marketers and data and compliance professionals across multiple sectors – who are questioning every action and decision regarding their customers’ and prospects’ communications in the context of the GDPR. Questions include: What is the best lawful basis to use or choose from; How do I choose which is the most appropriate; Do I need to write an LIA or DPIA; Does my organisation need to be named when purchasing data for prospecting; How do we ensure we have protected the consumers’ fundamental rights, and so on.

In particular, much confusion and anxiety still exist around when and how to use the key lawful bases for processing data for marketing purposes: consent and legitimate interest.

The legal basis for legitimate interest

With reference to the ICO’s definitions, legitimate interest is the most flexible of the six legal bases for processing personal data, and it can therefore be relied on in many different circumstances.

For example, it may be the most appropriate basis when processing is of a clear benefit to you or others, there is limited privacy impact on the individual, or where an individual would reasonably expect their data to be used in that way. Remember that the balance of fundamental rights is of equal measure and transparency is key to making these decisions.

It is also key to remember that the GDPR specifically states that direct marketing may be considered a legitimate interest in recital 47, albeit upon the appropriate and thorough application of a balancing test. By balancing the business and marketing objectives with the rights of the individual – and a good dose of common sense – and documenting it in a professional and trackable manner, marketers can use this basis for marketing with more confidence.

On that note, a recent example of this is the RNLI’s decision to move from opt-in to a legitimate interest basis for marketing. Four years ago, the RNLI moved to collecting a clear opt-in consent to send marketing and communications, but over time this has led to a shortfall in funds and a drop in its supporter numbers from two million to less than half a million. The decision is fully compliant with data protection regulations and similar to the approach taken by many other major charities.

Applying a balancing test to a legitimate interest also applies to prospect data and data sourced from third parties as well as first party data. It’s worth remembering there is nothing in the GDPR that prohibits the use of third-party data, provided that it is undertaken in accordance with the data protection principles and regulatory guidance.

The legal basis for consent

So, what about consent basis? Again, referencing the ICO, when it comes to consent, “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”

So, in a number of instances, consent may not be required. However, some examples of when it is required involve the use of electronic marketing (namely email) and this is where GDPR and the Privacy & Electronic Communication regulation (PECR) dovetail i.e. email marketing requires consent and the requirements for consent are set out in PECR.

Place trust at the core

At the heart of the GDPR is building trust with consumers. That means applying rigour and common sense to balancing commercial interests with consumer rights, and testing that decision to ensure it is the right approach.

Gone are the days of privacy being a box-ticking exercise (no pun intended!). The concept of privacy by design and ‘responsible marketing’ requires a cultural shift to achieve and maintain. As with so many things, being genuinely GDPR-ready is work in progress, but is surely a good thing that ensures alignment and accountability across marketing, IT, legal and compliance departments.

About the author

Andrew Bridges joined REaD Group as Data Quality and Governance Manager in 2016 to spearhead the company’s commitment to providing industry leading standards of data quality and governance. A key part of Andrew’s remit is ensuring REaD Group remains at the forefront of the EU regulatory landscape, in particular gearing up for the introduction of the new General Data Protection Regulation.

REaD Group is a marketing data and insight company that uses its unrivalled data products, insight and expertise to helps its clients get closer to their customers, offering market-leading data quality and cleaning solutions and trusted marketing data.