Lawful Basis For Processing - Who is responsible?

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Simon Plummer, Jan 18, 2018.

  1. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    We process data on behalf of clients. As part of GDPR preparation we are understanding the basis for processing. What I expected to see was an influx of customers advising of the basis we are processing the information for on their behalf - guess what, we aren't.

    As a processor are we responsible for obtain this detail from the controller?
    Do we just 'decide' which basis applies in the absence of anything from the controller?
    If we don't hear, are we still compliant as an organisation? (as long as we can prove attempts at finding out)

    It is specifics like that that are not covered and truly wont be proven without case law in the future. But it is difficult to prepare without more details guidance in this area. My experience is that the ICO won't answer specific queries, I may stand corrected of course - what are other peoples experiences?
     
    Posted: Jan 18, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #1
  2. Graham Marcroft

    Graham Marcroft UKBF Newcomer Free Member

    2 0
    Hi Simon,
    We are a processor and have a form we will be sending to all of our customers asking them which Lawful basis of processing their data falls into. We will be sending these forms out at the end of this month. I will let you know how we get on.
    I genuinely feel that if we have done this and can show we have done this if the ICO come knocking we can say, "well what more could we have done"

    Thanks

    Graham
     
    Posted: Mar 14, 2018 By: Graham Marcroft Member since: Mar 14, 2018
    #2
  3. Newchodge

    Newchodge UKBF Big Shot Free Member

    9,318 2,371
    Are you also telling them that a failure to respond will mean that you can no longer process their data? I don't think it would be enough to say that you asked the question and, when you got no reply, you assumed that meant it was OK. I think you need to assume the opposite.
     
    Posted: Mar 14, 2018 By: Newchodge Member since: Nov 8, 2012
    #3
  4. fisicx

    fisicx It's Major Clanger! Staff Member

    28,893 8,537
    Correct. Consent has to be given. If no reply then no consent is given. And even if consent is given you still need to provide the option to unsubscribe and ask for your data to be removed.
     
    Posted: Mar 14, 2018 By: fisicx Member since: Sep 12, 2006
    #4
  5. The Byre

    The Byre UKBF Ace Free Member

    7,077 2,754
    That's because nobody really cares!

    "Oh look!" they say. "Yet another stupid and pointless box that needs ticking! Well, whoopee!"
    That's because they don't know the answers either!
     
    Posted: Mar 14, 2018 By: The Byre Member since: Aug 13, 2013
    #5
  6. fisicx

    fisicx It's Major Clanger! Staff Member

    28,893 8,537
    I suspect there will be a few high profile cases in the news with various fines to get people's attention.
     
    Posted: Mar 14, 2018 By: fisicx Member since: Sep 12, 2006
    #6
  7. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    Thanks Graham, we too are taking this approach too. Seems to be the favourable option.

    Agree entirely Newchodge! we don't mention this on the initial comms - we save this for the 'hardball' reminder!

    Consent isn't necessary in a lot of (if not most) situations, this is only one of the lawful basis for processing, in fact it is the most onerous and best avoided if possible. For some reason the focus has been placed on consent - mainly in the marketing arena where it applies heavily, it is a common misconception that it is needed for all processing of personal data.
     
    Posted: Mar 14, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #7
  8. fisicx

    fisicx It's Major Clanger! Staff Member

    28,893 8,537
    If you look at the 6 lawful basis for processing there are all sort of restrictions. For example, a lot of people are jumping on the 'legitimate interest' option without really understanding what this means. The criteria they all seem to be missing is: "The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply."

    In other words, you can't just bung out marketing material to a random set of people and call it legitimate interest because: "...you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing". They wouldn't reasonably expect to get an email for a service they aren't already interested in or even need. Sending me an email offering PPC/SEO/telesales services is not legitimate interest.

    But a sensible approach to marketing can generate great leads and still remain within the scope of GDRP.
     
    Posted: Mar 14, 2018 By: fisicx Member since: Sep 12, 2006
    #8
  9. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    Agree where marketing is concerned, however data processing is much much wider, most often consent isn't needed from what i have seen so far. My original question is not relating to marketing activities, we cover that off differently with either legit interests or consent if needed (again with our activities mostly not necessary due to the specific targeted approach using publicly available information).

    To justify legitimate interests you will need to document a legitimate interest assessment.
     
    Posted: Mar 14, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #9
  10. fisicx

    fisicx It's Major Clanger! Staff Member

    28,893 8,537
    Absolutely. If you need the data to process and order to to meet regulatory requirements then legitimate interest is fine.

    The problem is many companies seem to think because they bought a list of emails last year it means they can use legitimate interest as the legal basis to send out marketing material.
     
    Posted: Mar 14, 2018 By: fisicx Member since: Sep 12, 2006
    #10
  11. ffox

    ffox UKBF Regular Free Member

    1,036 184
    Simon, this is falling at the first hurdle. GDPR contracts guidance -
    • Whenever a controller uses a processor it needs to have a written contract in place.
    • The contract is important so that both parties understand their responsibilities and liabilities.
    • The GDPR sets out what needs to be included in the contract.
    • In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.
    • Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.
    • Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

    • You say your customers are not advising you of their requirements. That being the case, there is no contract.

     
    Posted: Mar 14, 2018 By: ffox Member since: Mar 11, 2004
    #11
  12. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    I am pretty versed in that article, we do have contracts in place, however the question that was originally asked is around the best approach to take with our customers. It is clear that the documentation needs to be completed (which we are doing), obtaining this information will then allow to add the relevant addendum to the contracts in line with the controllers requirements.
     
    Posted: Mar 15, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #12
  13. ffox

    ffox UKBF Regular Free Member

    1,036 184
    1. The terms of any pre GDPR contracts you have in place are voided by the change in legislation. New terms will have to drawn up.
    2. In a contract you cannot assume knowledge of the wishes of another party, so your customer must inform you of their requirements.
    3. Once 1 and 2 have been completed, and the contracts signed you have a solid basis to move forward.
    4. If the customers will not volunteer their requirements, you can offer them contracts terms and require their acceptance, but contracts must be in place.
     
    Posted: Mar 15, 2018 By: ffox Member since: Mar 11, 2004
    #13
  14. James Reckons

    James Reckons UKBF Newcomer Free Member

    19 0
    I know this doesn't apply to random marketing. But there is a thing called 'soft opt-in' that we can use if we already have a business relationship. This means we can contact our customers outside of the sale, without explicit consent if -

    a - we obtained the customer's contact details in the course of a sale of products or services to that customer.

    b - the emails we intend to send after we’ve provided the service are about the same or similar products.

    No explicit consent required - just as long as we provide a simple means of opting out.
     
    Posted: Mar 16, 2018 By: James Reckons Member since: Aug 18, 2015
    #14
  15. fisicx

    fisicx It's Major Clanger! Staff Member

    28,893 8,537
    Indeed, and that’s how many businesses will be doing things. But if you read the guidance there is a very narrow set of conditions where you can use the soft opt in.

    Offering a boiler service one year after installing a new boiler is fine.

    Offering to paint the utilities room after installing a new boiler isn’t.

    It has to be a product or service they would normally expect.
     
    Posted: Mar 16, 2018 By: fisicx Member since: Sep 12, 2006
    #15
  16. Keith Budden

    Keith Budden UKBF Contributor Full Member

    77 10
    Fisicx has hit the nail on the head - always ask yourself the basic question - if I was the consumer (whether that's b2c or b2b really doesn't matter in this instance), would I reasonably expect to receive material about [insert chosen subject] from you. If the answer is 'NO', then you need to go back and get consent.
     
    Posted: Mar 30, 2018 By: Keith Budden Member since: Mar 30, 2018
    #16