Lawful Basis For Processing - Who is responsible?

[Simon Plummer]

We process data on behalf of clients. As part of GDPR preparation we are understanding the basis for processing. What I expected to see was an influx of customers advising of the basis we are processing the information for on their behalf - guess what, we aren't.

As a processor are we responsible for obtain this detail from the controller?
Do we just 'decide' which basis applies in the absence of anything from the controller?
If we don't hear, are we still compliant as an organisation? (as long as we can prove attempts at finding out)

It is specifics like that that are not covered and truly wont be proven without case law in the future. But it is difficult to prepare without more details guidance in this area. My experience is that the ICO won't answer specific queries, I may stand corrected of course - what are other peoples experiences?

 

[Graham Marcroft]

Hi Simon,
We are a processor and have a form we will be sending to all of our customers asking them which Lawful basis of processing their data falls into. We will be sending these forms out at the end of this month. I will let you know how we get on.
I genuinely feel that if we have done this and can show we have done this if the ICO come knocking we can say, "well what more could we have done"

Thanks

Graham

 

[Newchodge]

We are a processor and have a form we will be sending to all of our customers asking them which Lawful basis of processing their data falls into.

Are you also telling them that a failure to respond will mean that you can no longer process their data? I don't think it would be enough to say that you asked the question and, when you got no reply, you assumed that meant it was OK. I think you need to assume the opposite.

 

[fisicx]

I don't think it would be enough to say that you asked the question and, when you got no reply, you assumed that meant it was OK. I think you need to assume the opposite.

Correct. Consent has to be given. If no reply then no consent is given. And even if consent is given you still need to provide the option to unsubscribe and ask for your data to be removed.

 

[The Byre]

What I expected to see was an influx of customers advising of the basis we are processing the information for on their behalf - guess what, we aren't.

That's because nobody really cares!

"Oh look!" they say. "Yet another stupid and pointless box that needs ticking! Well, whoopee!"

My experience is that the ICO won't answer specific queries,

That's because they don't know the answers either!

 

[fisicx]

That's because they don't know the answers either!

I suspect there will be a few high profile cases in the news with various fines to get people's attention.

 

[Simon Plummer]

Hi Simon,
We are a processor and have a form we will be sending to all of our customers asking them which Lawful basis of processing their data falls into. We will be sending these forms out at the end of this month. I will let you know how we get on.
I genuinely feel that if we have done this and can show we have done this if the ICO come knocking we can say, "well what more could we have done"

Thanks Graham, we too are taking this approach too. Seems to be the favourable option.

Are you also telling them that a failure to respond will mean that you can no longer process their data? I don't think it would be enough to say that you asked the question and, when you got no reply, you assumed that meant it was OK. I think you need to assume the opposite.

Agree entirely Newchodge! we don't mention this on the initial comms - we save this for the 'hardball' reminder!

Correct. Consent has to be given. If no reply then no consent is given. And even if consent is given you still need to provide the option to unsubscribe and ask for your data to be removed.

Consent isn't necessary in a lot of (if not most) situations, this is only one of the lawful basis for processing, in fact it is the most onerous and best avoided if possible. For some reason the focus has been placed on consent - mainly in the marketing arena where it applies heavily, it is a common misconception that it is needed for all processing of personal data.

 

[fisicx]

Consent isn't necessary in a lot of (if not most) situations, this is only one of the lawful basis for processing, in fact it is the most onerous and best avoided if possible. For some reason the focus has been placed on consent - mainly in the marketing arena where it applies heavily, it is a common misconception that it is needed for all processing of personal data.

If you look at the 6 lawful basis for processing there are all sort of restrictions. For example, a lot of people are jumping on the 'legitimate interest' option without really understanding what this means. The criteria they all seem to be missing is: "The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply."

In other words, you can't just bung out marketing material to a random set of people and call it legitimate interest because: "...you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing". They wouldn't reasonably expect to get an email for a service they aren't already interested in or even need. Sending me an email offering PPC/SEO/telesales services is not legitimate interest.

But a sensible approach to marketing can generate great leads and still remain within the scope of GDRP.

 

[Simon Plummer]

Agree where marketing is concerned, however data processing is much much wider, most often consent isn't needed from what i have seen so far. My original question is not relating to marketing activities, we cover that off differently with either legit interests or consent if needed (again with our activities mostly not necessary due to the specific targeted approach using publicly available information).

To justify legitimate interests you will need to document a legitimate interest assessment.

 

[fisicx]

Absolutely. If you need the data to process and order to to meet regulatory requirements then legitimate interest is fine.

The problem is many companies seem to think because they bought a list of emails last year it means they can use legitimate interest as the legal basis to send out marketing material.

 

[ffox]

As part of GDPR preparation we are understanding the basis for processing. What I expected to see was an influx of customers advising of the basis we are processing the information for on their behalf - guess what, we aren't.

Simon, this is falling at the first hurdle. GDPR contracts guidance -

• Whenever a controller uses a processor it needs to have a written contract in place.
• The contract is important so that both parties understand their responsibilities and liabilities.
• The GDPR sets out what needs to be included in the contract.
• In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.
• Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.
• Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

• 
  You say your customers are not advising you of their requirements. That being the case, there is no contract.
  
  

 

[Simon Plummer]

I am pretty versed in that article, we do have contracts in place, however the question that was originally asked is around the best approach to take with our customers. It is clear that the documentation needs to be completed (which we are doing), obtaining this information will then allow to add the relevant addendum to the contracts in line with the controllers requirements.

 

[ffox]

As a processor are we responsible for obtain this detail from the controller?
Do we just 'decide' which basis applies in the absence of anything from the controller?
If we don't hear, are we still compliant as an organisation? (as long as we can prove attempts at finding out)

1. The terms of any pre GDPR contracts you have in place are voided by the change in legislation. New terms will have to drawn up.
2. In a contract you cannot assume knowledge of the wishes of another party, so your customer must inform you of their requirements.
3. Once 1 and 2 have been completed, and the contracts signed you have a solid basis to move forward.
4. If the customers will not volunteer their requirements, you can offer them contracts terms and require their acceptance, but contracts must be in place.

 

[James Reckons]

If you look at the 6 lawful basis for processing there are all sort of restrictions. For example, a lot of people are jumping on the 'legitimate interest' option without really understanding what this means. The criteria they all seem to be missing is: "The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply."

In other words, you can't just bung out marketing material to a random set of people and call it legitimate interest because: "...you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing". They wouldn't reasonably expect to get an email for a service they aren't already interested in or even need. Sending me an email offering PPC/SEO/telesales services is not legitimate interest.

But a sensible approach to marketing can generate great leads and still remain within the scope of GDRP.

I know this doesn't apply to random marketing. But there is a thing called 'soft opt-in' that we can use if we already have a business relationship. This means we can contact our customers outside of the sale, without explicit consent if -

a - we obtained the customer's contact details in the course of a sale of products or services to that customer.

b - the emails we intend to send after we’ve provided the service are about the same or similar products.

No explicit consent required - just as long as we provide a simple means of opting out.

 

[fisicx]

Indeed, and that’s how many businesses will be doing things. But if you read the guidance there is a very narrow set of conditions where you can use the soft opt in.

Offering a boiler service one year after installing a new boiler is fine.

Offering to paint the utilities room after installing a new boiler isn’t.

It has to be a product or service they would normally expect.

 

[Keith Budden]

Fisicx has hit the nail on the head - always ask yourself the basic question - if I was the consumer (whether that's b2c or b2b really doesn't matter in this instance), would I reasonably expect to receive material about [insert chosen subject] from you. If the answer is 'NO', then you need to go back and get consent.