GDPR is one of those acronyms you’re probably hearing a lot about at the moment. You’re no doubt receiving a high number of emails asking if you’re still happy to receive communications from a company and to be on their database. So what are the reasons behind this?
In 2016, a bill was passed by the European Union introducing the General Data Protection Regulation, which will come into force as of 25th May 2018. GDPR defines the legal rights of EU citizens in relation to their data, and enforces regulations on the data controllers and processors who hold that data.
Under GDPR, organisations will find themselves in one of two categories; data controllers and data processors. Controllers are those who ‘determine the purposes for which and the manner in which any personal data are, or are to be, processed’ and processors are those (other than an employee of the data controller) ‘who process the data on behalf of the data controller’.
The definition of ‘personal data’ applies to any information that can be used to identify a person, either directly or indirectly. That includes a subject’s name, location, IP address or mobile device identity, and any organisation that holds the personal data of any EU citizen must ‘implement appropriate technical and organisational measures’ to protect that data.
Any organisation holding EU citizens’ data will need to tell you how your data will be processed. There are 6 different lawful bases for this which are outlined for organisations as below:
1. Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests (this cannot apply if you are a public authority processing data to perform your official tasks).
As the 25th May deadline approaches, we’re sure you’re coming into contact with a number of different organisations who are communicating their own GDPR journey with you. This can sometimes feel overwhelming but it’s important to note that although organisations will communicate with you in different ways, they will all be working to the same lawful bases.
If you’re interested in learning more, we recommend consulting the Information Commissioner’s Office Guide to the General Data Protection Regulation which can be found here.