The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. GDPR is a hugely important piece of legislation designed to replace antiquated data protection rules with a new framework which accounts for recent technological advancements.
Fundamentally, GDPR is about protecting people: in this digital age, our world is awash with data and individuals are generating a continuous flow of personal information. This data can hold huge socio-economic value, from individual preference and personalisation, to understanding national health trends and global business insights. But while the digital age has brought forth huge possibilities and benefits, it also carries inherent dangers.
Some of the most powerful companies in the world have established a business model predicated on the basis of data capture. Increasingly, services like email, search and social media have become available free of charge, but this often involves a trade-off where user access comes at the cost of relinquishing control of data. As the value of this information has become clear, there has been growing recognition that a new framework is needed to police this delicate balance and restore ownership and control.
GDPR will significantly raise the bar of obligation and accountability, ensuring that all organisations which handle personal data adhere to strict regulations around privacy, security and consent. This conference will contextualise the changing regulatory landscape, explain the significance of incoming rules, and define the key areas that organisations need to be aware of.
Core conference topics include:
Key legal issues and obligations
Privacy Impact Assessments
Data security and breach notification
Privacy by design
DPO requirements
Practical strategy implementation
20. @iconews
Keep in touch
Subscribe to our e-newsletter at www.ico.org.uk
or find us on…
ICO Scotland
45 Melville Street
Edinburgh EH3 7HL
T: 0131 244 9001 E: Scotland@ico.org.uk
27. Why?
GDPR Article 37 - DPO is needed in any case where:
• The processing is carried out by a public authority or body, except for
courts, or
• The core activities of the Data Controller or the Data Processor consist of
processing operations which, by virtue of their nature, their scope and / or
their purposes, require regular and systematic monitoring of data subjects
on a large scale, or
• The core activities of the Data Controller or the Data Processor consist of
processing large volumes of Special Categories of Data or information
about criminal convictions and offences.
28. Who?
The DPO must have
• expert knowledge of Data Protection law and practices.
• excellent understanding of the organisation’s governance structure
– “Get the Bored Board on Board”
• necessary resources to fulfil the relevant job functions
• certain level of independence and degree of protection against dismissal
or other sanctions on grounds that relate to their performance of their
DPO tasks.
29. Who?
The DPO must be
• familiar with organisation’s IT infrastructure and technology.
• employed (“internal DPO”) or have a service contract
(“external DPO”)
The DPO may have
• other tasks within the organisation, so long as no conflict of
interest with the DPO role.
WP29: DPO must not determine the purposes and the
means of the processing of personal data
31. The role
• Statutory role:
– To inform and advise about obligations to comply with
GDPR and other data protection laws.
– To monitor compliance with the GDPR and other data
protection laws.
– To be the first point of contact for ICO and data subjects.
→ The go to source for data protection advice.
32. How to find a DPO…
GDPR experts are all around us…
“Beware of GDPR Snake Oil: It's amazing how many
GDPR experts have suddenly appeared on places like
Linkedin and my email in-box.”
(Richard Gough, Head of Group IT Operations & Security at Punter Southall Group)
33. …who meets all requirements?
• “Wanted: a qualified, experienced DPO…”
34. • Qualification? Not expressly in GDPR, but often asked for
• Don’t:
– give the job to an existing member of staff and expect them to learn
it on the job;
– nominate a figurehead and then expect the people s/he manages to
do the work → where’s the independence?
• Ensure reporting chain and accessibility
– DPO must report to senior management and be accessible to all
within and outwith organisation
35. Shared DPOs - the situation
• You need:
– An experienced data protection officer
• You are:
– A small(ish) organisation that still needs a DPO
• They cost:
– Up to £50,000 in large organisations (stop laughing at
the back)
The solution – an external, shared DPO?
37. The pros:
• No political or organisational baggage
• Easy to act in an unbiased manner without fear for their job
• No worries about favouring certain departments or individuals
• Listened to with more respect than an employed colleague
• Lower costs
38. The cons:
• More difficulty with accessibility to data subjects and readiness to
resolve any issues raised by the subject or Supervisory Authority.
• Not as easily accessible to all sharing parties
• Allocation of time and tasks - service contract?
• Institutions will still need to employ people ‘on the ground’ to ‘do the
doing’ internally
• No intimate knowledge of the workings of the individual institutions and
how these may vary from each other
• What if something happens in two organisations at the same time? What
if the DPO is sick/on holiday?
39. Time’s running out….
• DPO to implement changes for GDPR?
• Case study (Ken, don’t listen…) senior professors auto-forward emails
to private gmail accounts:
– what would you do – pick your battles??
40. Breach management
• Putting appropriate system in place
• “Personal data can be paper?? Really???”
• Ensure reporting process involving DPO at early
stage – triage of incident reporting
41. Effective collaboration
• Be hands-on if you want to achieve something. Don’t rely on
others to do the work.
• Have a good sense of humour!
• Two options:
– Human cloning or:
– Network of Data Protection Champions:
• Properly trained
• Doing triage within Departments
• Only contact DPO for difficult cases
42. The benefits of diplomacy
• Get endorsement from Service Managers etc to avoid
treading on toes!
69. ABERDEEN • EDINBURGH • GLASGOW • BRUSSELS www.brodies.com/GDPR
Beyond information security – what is GDPR about?
GDPR Scotland Summit
Martin Sloan, Partner
21 November 2017
Blog: http://techblog.brodies.com Twitter: @lawyer_martin
70. Outline
• Separating fact from fiction
• Embedding privacy and GDPR in your organisation
• Developing a plan for compliance
• Six months to go – key priorities
72. A quick recap
• The biggest shake-up of data protection law in nearly 25 years
• The General Data Protection Regulation (GDPR)
– New EU-wide data protection law which will have direct effect in EU
member states
– Enters into force on 25 May 2018
– Greater consistency of regulatory treatment
– Stronger and more coherent data protection framework
– Backed by strong enforcement
• The Data Protection Act 1998 will be repealed
73. Evolutionary
Some concepts remain broadly similar
• Key concepts – personal data, sensitive personal data, processing, data
controllers, data processors etc
• Data protection principles – recognisable, but explicit reference to both
transparency and accountability
• Conditions for processing – similar, but some changes
• Data subject rights – broadly recognisable (subject access, rectification,
processing restrictions), but there are some new ones
• International transfers
• Basic data security obligations – BUT see new data security breach
notification requirements
• The ICO – still a UK national supervisory authority
74. What’s changing?
• Transparency – enhanced fair processing transparency requirements
• Consent – concept of consent tightened; easier for individuals to withdraw
• Accountability – obligation to demonstrate compliance; use of privacy
impact assessments; training; policies
• Administration – increased administration and record keeping
requirements
• Data subject rights – enhanced rights including subject access, increased
‘rights to be forgotten’ and data portability
• Organisational principles – data protection by design and by default
• Data processors – Statutory responsibility for data processors
• Data protection officers – mandatory for certain organisations
• Breach notification – mandatory breach notification for certain breaches
• Supervisory authorities – lead authority; formal consistency mechanism
• Sanctions – fines of up to 4% of worldwide turnover or €20M
75. Draft ePrivacy Regulation
• Current law:
– 2002 Directive/Privacy & Electronic Communications Regulations 2003
– Supplements DPA
• Draft ePrivacy Regulation published 10 January 2017
– Rules on electronic marketing largely unchanged – soft opt-in remains
– But incorporates definition of consent from GDPR
– Simplified rules on cookies/tracking tech – use of device settings
– New rules on identifying marketing calls
• Current status
77. Some GDPR myths
• GDPR is a revolution in data protection law
• The high fines will cause firms to go bust
• GDPR applies only to personal data processed after 25 May 2018
• Brexit means that we don’t need to worry about GDPR
• GPDR does not apply if personal data has been encrypted
• I can buy a product/service that will make me GDPR compliant
Image: https://iconewsblog.org.uk/
78. Some GDPR myths
• I can’t process personal data without consent
• There is an exemption for small business
• The right to be forgotten will stop my business from being able to provide
services to customers or employ my staff
• Every personal data breach will need to be reported to the ICO
• If I use the cloud then GDPR compliance is my service provider’s problem
• The ICO is still unlikely to take any enforcement action
Image: https://iconewsblog.org.uk/
80. Accountability
• Controllers are expected to be able to demonstrate that they comply
• New responsibilities include:
– Implementing ‘appropriate and effective measures’ for compliance
including appropriate data protection policies
– Data protection by design and default – building DP compliance (eg
data minimisation) into processing processes and activities
– Conducting privacy impact assessments for processing considered to
be ‘high risk’
– Detailed requirements to keep records of processing activities
– Express obligation to co-operate with regulators
Data Governance
81. Accountability
• Data processing activities, including:
– Purposes of the processing
– Description of the categories of data subjects and personal data
– Categories of recipients
– Details of data transfers outside the EEA
– Data retention periods
– General description of data security measures
• Register of data processors
• Register of personal data breaches
Record keeping
82. Accountability
• Mandatory for public authorities and controllers and processors whose core activities involve
– Regular processing of sensitive personal data
– Regular/systematic data monitoring of data subjects on a ‘large scale’
• Can be on group-wide basis so long as DPO is ‘easily accessible’
• DPO must
– have professional qualities and expert knowledge
– be allowed to perform responsibilities in an independent manner
– be supported and properly resourced
• Conflicts of interest
• DPO role – general advisory; compliance monitoring against GDPR and policies; training and
awareness; audits; privacy impact assessments; dealing with regulators – but NOT personally
responsible for compliance
• DPO may be an employee or a contractor
Data Governance – Data Protection Officers
83. Accountability
• Application
– GDPR requires DPIAs for “high risk” processing
– WP29 recommends DPIAs as an accountability tool in other situations
– WP29 considers the list of activities in article 35(3) to be non-exhaustive
– If no DPIA then you should document why it is not required
• Existing processing
– No need to carry out for existing processing – unless change to risk
• Timing, personnel and consultation
– Early stage and reviewed periodically (at least every three years)
– If you have a DPO then they must be involved
– Obtain views of data subjects (and if not document why)
• Publication
– WP29 recommends that data controllers should publish DPIAs
Data privacy impact assessments
84. Embedding privacy within your organisation
Policies and procedures and data protection by design
• Review and update your policies and procedures
– Employee facing policies and procedures (eg AUP, employee
monitoring)
– Employee training on data handling, breach reporting
– Team specific training/procedures?
– Data handling policies and procedures, eg
• DSARs, erasure, objections, portability
• Data retention
• Access controls
• New projects
– Data protection by design
– Use of privacy impact assessments
86. What if we’ve not yet started?
• Our 5 top recommendations
‒ Resource
‒ Data Mapping
‒ Data minimisation
‒ Review processing justifications
‒ Contract reviews
• Download our handy guide to preparing for GDPR:
http://brodi.es/PrepareForGDPR
87. Area Requirement/Impact Action
General
Resourcing Do you need to appoint/should you
appoint a DPO?
Increased requirements of GDPR will
place additional compliance
obligations on organisations
Ensure responsibility for GDPR is clear at board level.
Appoint a DPO quickly (if you’re appointing one)
Properly resource ongoing compliance. Is there sufficient
expertise within the organisation?
Consider establishment of central compliance function with
responsibility for handling regulatory queries, DSARs/other
individual requests, data security breaches, training etc
Data audit Any GDPR compliance programme
needs to be built on a complete
picture of what data is being
processed, why it is being processed
and by whom it is being processed to
establish where the organisation is not
GDPR compliant and to establish a
prioritised action plan
Conduct a data audit, remembering that the audit should
catch processing
Extra-territorial reach Extra territorial impact will catch
processing outside EU which targets
EU citizens even by organisations that
have no EU presence or nexus
For groups operating outside EU analyse any processing
by non-EU group companies for GDPR compliance.
Consider whether measures can be taken to avoid
unnecessary GDPR reach
88. Area Requirement/Impact Action
Accountability and Administration
Accountability More generally, organisations will
need to implement appropriate
policies and implement measures that
demonstrate compliance
Consider the adequacy of policies and measures. They
may need revamped and you may need new ones
Transparency GDPR requires more information to be
included in privacy notices
Privacy notices will need to be reviewed and updated.
Use layered and ‘just in time’ notices
Consent based processing Requirements for consent based
processing are tighter. Likely to
impact particularly in areas such as
marketing
Will existing consents be valid for GDPR purposes. If not,
will they need refreshed or can processing for grounded
on an alternative basis?
Data retention Requirement for greater transparency
mean that organisations will face
greater scrutiny around data retention
and destruction practices
Ensure that organisation has appropriate data retention
and destruction policies and procedures and that they are
being actioned both for new and legacy data
Privacy impact assessments PIAs will be on a statutory footing
under GDPR
Organisations must be prepared to carry out PIAs for ‘high
risk’ processing and those operations for which PIAs are
proscribed
Develop PIA process and methodology and appropriate
policies and procedures (see earlier)
Record keeping Many organisations will be required to
keep records of processing being
carried out
Review record keeping to ensure adequacy
Consider if exemption applies (organisations with less than
250 employees provided certain other conditions are met)
89. Area Requirement/Impact Action
Security
Data security Although data security standards are
broadly the same, the requirements
are more explicit - and the penalties
for data security breach are greater
Consider whether current data security standards are
adequate
Data breaches GDPR introduces requirements for
mandatory data security breach
notifications
Introduce clear policy and procedure for internal reporting
of data security breaches
Establish central breach management unit
Commercial
Contracts New requirements for data
processing agreements
Review data processing agreements which will run post
May 2018 and update contract templates
Technology refresh New GDPR requirements may
require additional functionality of
legacy IT systems
Review existing IT. is it up to scratch? Consider
contractual position before engaging with suppliers
Procurement Ensure that GDPR is factored into
new IT procurements
Ensure GDPR compliance is factored into procurement
decisions
Consider if a PIA is required
92. Six months to go - key actions
• Appoint or resource your DPO (if you need to have one)
• Review and update your privacy notices
• Develop a strategy for refreshing consents (especially for direct marketing)
• IT projects/development work:
– re-engineer data collection forms/privacy controls in apps and websites
– review/reconfigure IT systems
– tools for enabling data subject requests
• Start creating key records and registers:
– Data processing register
– Register of data processors
• Get contract amendments in place
• Update policies and procedures
• Staff training and awareness
101. 102strictly private & confidential
• Review existing privacy policies and statements in order to document how they compare with GDPR
requirements.
• Assess data subject rights to consent, use, access, correct, delete and transfer personal data.
• Discover and classify personal data assets and affected systems.
• Identify potential access risks.
Don’t forget the security requirements:
• Assess the current state of your security policies, identifying gaps, benchmarking maturity and
establishing conformance road maps.
• Identify potential vulnerabilities, supporting security, encryption and privacy by design.
• Discover and classify personal data assets and affected systems in preparation for designing security
controls.
112. 113strictly private & confidential
1. Securing your data is the new imperative
2. Manage access to critical data
3. Hack yourself to anticipate future attacks
4. Strengthen your weakest link: Humans
114. 115strictly private & confidential
’’Set priorities, focus energy and resources, strengthen operations,
ensure that employees and other stakeholders are working toward
common goals’’
117. 118strictly private & confidential
Training
• Issue a monthly GDPR bitesize comms throughout your organisation
• Provide supporting guides for your frameworks covering the basics in 60 seconds
• Drop in surgery
• Establish company wide e-learning to support your goals
• Get your IT department to sign up to sites such as: https://www.us-cert.gov/
https://csrc.nist.gov/ https://www.ncsc.gov.uk https://threatpost.com/
124. Privacy and data protection
• privacy: autonomy, conscience, enabling other rights and
democratic participation
• data protection: legal compliance, fairness, transparency
and accountability
• but it can get complicated
125. Challenges
Individual
• identifiability: is this personal data?
• complexity: can you explain your machine learning toy?
• micro targeting: fairness vs justice and risk pooling
• collective impacts: it's not who you are, but your data class
• mass manipulation: data, behavioural science and free will
Society
127. How is GDPR going to fix all
this?
• GDPR compliance
• but also about rights: information, access, rectification,
erasure
• limited rights: objection, profiling, portability
• Data protection is a fundamental right under EU law,
which shall be missed after Brexit
128. Impact of GDPR for rights?
• Should have some positive impact for individuals, e.g.:
• pseudonymous data
• know your data accountability principle
• More on day to day common problems
• Less on difficult collective and social issues
129. Effectiveness of GDPR
• enforcement by data protection authorities
• individuals know their new rights
• stronger powers for consumer groups
130. Who gets the value
• Data is not the new oil
• Fair compensation
• A market of personal information?
• Fairness is good, but also justice
132. Public interest & consent
• Data for a better functioning society and economy
• Promises may be excessive
• but some data can be a force for some good
133. Public interest and consent
• Consent is doubly abused
• Public interest does not require consent, but it’s very
limited for companies
• But I'm doing a public good with my traffic app!
134. Privacy by design
• Nobody really knows, but not an afterthought
• Beyond compliance
• Privacy impact assessments
• EU funded VIRT-EU project to develop privacy, ethical
and social impact assessments
135. Customer centric systems
• Control over their data
• personal data stores, vendor relationship management
and other systems have been around for some time
• managing consent, data access, portability, etc.
• ICO grant to develop tools, talk to us!
150. 151
Personal Data
Employment Information
Current and past employers
Position
Employee ID
Photographic Information
Family Photos
FamilyVideos
Student Photos
Employee Photos
Belief Information
Publicly Expressed Religion
Church Directory
Political or Philosophical beliefs
Political Donations
Biometric Information
Fingerprint
Retina scan
Facial image
DNA
Family Information
Spouse Name
Spouse Occupation
Children Names
ChildrenAges
Law Enforcement Information
Driving Record
ParkingTickets
Arrests
Convictions
Health Information
Claim forms
Health Insurance ID
Doctors notes
Medical condition
status
Demographic Information
Date of Birth
Height
Weight
Hair Colour
Government Issued ID
National ID
Driving License ID
Vehicle Registration
Password Number
Communication Information
IP Address
URL’s visited
Comments posted to websites
Email contents
185. Douglas Rintoul – Head of IT and Information Security
• Background in IT
• Focus on information security
• Privacy ties in with information security
• Currently DPO
CITP, CISSP, CISM, PC DP
188. The Client Journey
Take On Process
Client Created
on CRM system
Money
Laundering
checks
• DPA
• Privacy
Information
Individual or
business
agrees to
become a
client
189. The Client Journey
Business Lines
Audit
Business Advisory
Business Solutions
Consulting
Corporate Finance
Employer Solutions
Restructuring
Tax
Wealth
Provision of Services
Exec Teams
IT
Marketing
Business Development
HR
Learning and Development
Payroll
Health and Safety
Finance
192. GDPR Compliance Framework
DPA – Risk
Register
3rd Party
Processors
Privacy By
Design
Subject
Access
Requests
Incident
management/
Data Breach
Reporting
Data subject
Rights
TrainingPrivacy
Information
PIA
GDPR Policy
Information
Security
Policy
213. 20
Personal Data
Employment Information
Current and past employers
Position
Employee ID
Photographic Information
Family Photos
Family Videos
Student Photos
Employee Photos
Belief Information
Publicly Expressed Religion
Church Directory
Political or Philosophical beliefs
Political Donations
Biometric Information
Fingerprint
Retina scan
Facial image
DNA
Family Information
Spouse Name
SpouseOccupation
Children Names
Children Ages
Law Enforcement Information
Driving Record
ParkingTickets
Arrests
Convictions
Health Information
Claim forms
Health Insurance ID
Doctors notes
Medical condition
status
Demographic Information
Date ofBirth
Height
Weight
HairColour
Government Issued ID
National ID
Driving License ID
Vehicle Registration
Password Number
Communication Information
IPAddress
URL’s visited
Comments posted to websites
Email contents
240. In the words of the ICO
It’s evolution not revolution. And it’s an opportunity.
Those organisations which thrive in the changing environment will be the
ones that look at the handling of personal information with a mindset that
appreciates what citizens and consumers want and expect.
That means moving away from looking at data protection as a tick box
compliance exercise, to making a commitment to manage data sensitively
and ethically.
When you commit, compliance will follow.
Source: Elizabeth Denham, Information Commissioner at the Institute of Directors Digital Summit, 17th October 2017
241. Privacy by Design
• 7 Foundational Principles
• Proactive not reactive; preventative not remedial: anticipates and prevents
privacy invasive events before they happen
• Privacy as the default setting: maximum degree of privacy as standard –
individual need not do anything.
• Privacy embedded into design: privacy is integral to the system not a bolt on
after the fact
• Full functionality – positive sum not zero sum: you can have both privacy and
security – one does not have to suffer at the hands of the other.
242. Privacy by Design
• End to end security – full lifecycle protection: privacy having been there at the
birth extends through the whole lifecycle of the data.
• Visibility and transparency – keep it open: everything is visible so individuals
can see compliance with the rules
• Respect for user privacy – keep it user-centric: put the individual first – strong
privacy defaults, appropriate notice and empowering user friendly options.
244. Only 20% of UK public have trust and
confidence in companies and organisations
storing their personal information
Source: ICO Survey July 2017
245. ICO Survey
• UK citizens more likely trust public bodies than private companies or
organisations
• 61% have trust/confidence in NHS/GP using and storing their data
• 53% police
• 49% national government departments
• 12% social messaging platforms
• 8% have good understanding how personal data made available third
parties
• Older people more likely say have little trust and confidence.
246. ICO Survey
• “As personal information becomes the currency by which society does
business, organisations need to start making people’s data protection
rights a priority. Putting data protection at the centre of digital businesses
strategies is the key to improving trust and digital growth. ”
• “Changes to data protection legislation, which include the introduction of
the GDPR, offer organisations an opportunity to re-engage with their
customers about data. The new laws require organisations to be more
accountable for data protection and this is a real commitment to putting
the consumer at the heart of business.”
Steve Wood, Deputy Commissioner
247. GDPR Legal grounds
• Need a legal ground for processing personal information under GDPR plus
compliance with the GDPR principles
• GDPR Principles very similar to Data Protection Act Principles
• 6 legal grounds available under GDPR
• No hierarchy of legal grounds – all are equally valid
• Direct marketing activities – two most likely to use are consent and legitimate
interests
• Consent could be problematic
• Legitimate interests
• Others grounds are 1) performance of a contract, 2) necessary for compliance
with a legal obligation, 3) protect vital interest of an individual. 4) necessary for
public interest/official authority task
249. What is GDPR consent?
Consent of the data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her.
• Pre-ticked boxes will not be valid consent
• An end to conditional (tied-in) consent
• Must be collected in an ‘intelligible and easily accessible form, using
clear and plain language’
• Must be as easy to withdraw as to give consent
251. I would rather opt in
than opt out. Opting
out is a sneaky way
of doing business
I distrust companies who expect
you to opt out, rather than invite
their customers to opt in. This
may lead to smaller numbers of
customers, but they will be
much more positive about your
company.
Too many options to tick. This
sort of thing should be kept as
simple as possible so people are
not confused. They should ask if
you want to opt in not out.
252. Opt in boxes are
so much more
customer
friendly
Brilliant. Leaves
you in total
control whether
you want further
information
This positive answer is
much better. Clearer
and less ambiguous. It
feels less like the
company is trying to
trick you into saying yes!
253. At xxxxx, we have exciting offers and news about our
products and services that we hope you’d like to hear about.
We will treat your data with respect and you can find the
details of our Contact Promise here.
I’d like to receive updates by email from xxxx based on
my details
You can stop receiving our updates at any time and if you
prefer that we do not use your information to predict what
you might be interested in let us know here.
265. What is it?
Article 6 (1) (f):
Processing will be lawful if it is necessary for the purposes of the
legitimate interests pursued by the controller or a third party, except
where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection of
Personal data, in particular where the data subject is a child
266. Use for direct marketing?
• Direct marketing recognised as a
legitimate interest in text of Regulation
• Cannot use it where fundamental rights
and freedoms of individuals override
rights of organisations - Need for
balancing test
• Provision of unsubscribe/.opt-out
normally satisfies test
• Cannot use it for processing personal
data about children
• Processing must be necessary for
purpose of legitimate interest pursued
• Requires a connection between the
processing and the interests pursued
• Need to consider if other less privacy
intrusive methods are available to
achieve legitimate interests
• DPN legitimate Interests guidance
268. Examples of legitimate interests – recitals 47 - 50
• where the data subject is in the
service of the controller
• where the data subject is a client
of the controller
• Intra-group transfers for internal
admin purposes
• fraud prevention
• network and information
security
• Direct marketing (maybe)
269. Further practical examples
• evidential purposes
• suppression lists
• bona fide service messages to
customers
• analytics
• employee relations
270. Legitimate Interests – in practice
Where a Controller wishes to rely on Legitimate Interests as the
legal basis for a processing operation, it will need to be able to
demonstrate to a Supervisory Authority and/or an individual,
when challenged, that Legitimate Interests is an appropriate
legal basis for that processing activity and be in a position to
defend the reasoning behind its decision to proceed with
processing.
• There are several factors to consider when making a
decision regarding whether an individual’s rights would
override a business Legitimate Interest. These include:
• the nature of the interests;
• the impact of processing;
• any safeguards which are or could be put in place.
271. Legitimate Interest Assessments (LIAs)
Whether a
Legitimate
Interest exists
Whether the
processing is
necessary
Balancing Test
272. Information rights
• Regardless of your ground for
processing personal data you do
need to provide the enhanced
information rights in your
privacy policy.
273. Transparency – Information
Requirements
• Who is the Data Controller?
• Their contact details
• What are the legal bases and
purposes of processing?
• Are Legitimate Interests being relied
upon by you or third parties?
• Who the recipients of the data may
be
• If the data will be transferred outside
the EU and how this is protected
• How long will it be stored?
• How to exercise rights
• The right to withdraw consent
• The right to complain to the
Supervisory Authority
• Whether data is required for
contractual purposes and the
consequences of refusing
• Whether profiling with legal effect
exists (also other profiling)
274. You will need to give some thought to how
best to tailor your consent requests and
methods to ensure clear and
comprehensive information without
confusing people or disrupting the user
experience – for example, by developing
user-friendly layered information and just-
in-time consents.
ICO Draft Consent Guidance
275. Example privacy policy wording
Privacy policy
We process personal information for certain legitimate business purposes, which include some or all of the
following:
• where the processing enables us to enhance, modify, personalise or otherwise improve our services /
communications for the benefit of our customers
• to identify and prevent fraud
• to enhance the security of our network and information systems
• to better understand how people interact with our websites
• to provide postal communications which we think will be of interest to you
• to determine the effectiveness of promotional campaigns and advertising.
Whenever we process data for these purposes we will ensure that we always keep your Personal Data rights in high
regard and take account of these rights. You have the right to object to this processing if you wish, and if you wish
to do so please click here. Please bear in mind that if you object this may affect our ability to carry out tasks above
for your benefit.
276. Data collection statements
You will need to update you data
statements wherever they appear,
offline and online to be clearer and
more transparent.
We may process your personal
information for carefully considered and
specific purposes which are in our
interests and enable us to enhance the
services we provide, but which we
believe also benefit our customers. Click
here to learn more about these
interests and when we may process
your information in this way.
278. • Bringing your customer database up to the standard required for whatever legal ground you are
using under the GDPR
• Updating your privacy policy with the information requirements.
• Updating data collection notices to be clear and transparent about the use of data.
Raising the bar to GDPR standards
279. • Consent under GDPR is a much higher standard than consent under Data Protection
Act and Privacy and Electronic Communications Regulations
• ICO draft GDPR Consent Guidance published for consultation Spring 2017. Final
version will not be published until December 2017 because of European level work.
• Consent must be:
• Unbundled
• Positive opt-in
• Granular
• Named
• Documented
• Easy to withdraw
• No imbalance in the relationship
Bringing data up to GDPR consent
280. • Easier task than bringing data up to consent standards
• Legitimate interests can be used for all marketing channels which operate currently on an
unsubscribe/opt-out basis
• Postal mail, live voice call telemarketing, email and SMS marketing if using existing customer/ soft opt-
in exemption
• DMA view – cannot use legitimate interests
• 1) where law requires you to use subscribe/opt-in consent such as charities sending email marketing
to donors/supporters
• 2) Where organisation is already using a subscribe/opt-in
.
Bringing data up to legitimate interests