GDPR Webinars – Your Questions Answered and Recordings
The GDPR Data Processor and Data Controller webinars took place on March 21 and 28 respectively. The webinars broke both roles down to make it easier to understand what is required of the Data Processor and Data Controller by the upcoming legislation.
We would like to thank all who attended, there were a large number of questions asked throughout both webinars and we have enlisted our Head of Legal, Lisa Jordan, to respond to your queries. You can access the on-demand recordings here:
If you have not attended either webinar we recommend you view the recordings prior to reading the Q&A:
Role of the Data Processor:
Q: If the controller requires their employees to use a system, does the processor need to include opt-in language in the use of their platform?
A: No, not necessarily. Consent is one of six lawful bases for processing data. Consent can be withdrawn and therefore another lawful basis for processing may be a better basis to use e.g. contract or legal obligation.
Q: Do I need to show the same options for users to give as to withdraw consent?
A: This is quite technically detailed but best practice is to give users the same method of withdrawing consent as they gave it i.e. email consent can be withdrawn by email, opt-in box to give consent opt-out box to withdraw consent etc.
Q: Or I can use different wording and potentially different groups of purposes for data consent?
A: You can group data consent by purpose if for similar products / purposes however, I would recommend that you seek specific legal advice in your member state as consent requests must be separate from other terms and conditions.
Q: Can I use personal data collected before GDPR for outbound user acquisition?
A: Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you will need to be confident that your consent requests already met the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily. On the other hand, if existing consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
Q: Is the presentation available anywhere for offline viewing?
Q: Is there any mandatory training for a DPO?
A: No, but a company must provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their GDPR obligations, and to maintain their expert level of knowledge.
Q: Where does MPP Global host data and through who?
A: This depends on the Client and is documented in the Contract with the Client in Schedule G on GDPR of our standard terms and conditions.
Q: I notice that your opt-in is very generic, do you need to be specific for each type of marketing you might send?
A: Best practice is to be specific but as all our marketing communications, whether Events, Webinars, Newsletters or information relating to our Services and eSuite concern similar products or services the generic opt-in consent is appropriate.
Q: How often do we have to renew consents?
A: There is no specific answer to this however you must ensure that you regularly review consents to check that the relationship, the processing and the purposes have not changed (and document your review). If you build regular consent reviews into your business processes and refresh consent at appropriate intervals i.e. if you introduce a new service / new product that is not similar to the consent already obtained then you will need to refresh your consent then this will be satisfactory for GDPR compliance.
Q: What consents are needed for business to business marketing contact?
A: I refer you to this section from the ICO’s website.
In summary, the GDPR applies wherever you are processing ‘personal data’. This means if you can identify an individual either directly or indirectly, the GDPR will apply – even if they are acting in a professional capacity. So, for example, if you have the name and number of a business contact on file, or their email address identifies them (eg [email protected]), the GDPR will apply.
The GDPR only applies to loose business cards if you intend to file them or input the details into a computer system.
Q: Does a subscription count as contractual basis or legal obligation?
A: You will have to determine this yourselves, as you could rely on consent for the lawful basis for a subscription too. There are six lawful bases for processing and the Regulations themselves, the guidance provided by the Article 29 Working Party and the ICO (if your main establishment is in the UK) provide substantial details on each of these lawful bases. If there is a contract in place between you and the subscriber then contract could be an appropriate lawful basis to rely on. So, if a subscriber makes an online purchase for a print publication, a controller processes the address of the subscriber to deliver the magazine. This is necessary in order to perform the contract. However, the profiling of an individual’s interests and preferences based on the subscription is not necessary for the performance of the contract, so you will have to consider another lawful basis for processing for this purpose.
Please note that if you rely on the legal obligation – you will have to identify and document the legislation that you are relying on to process the personal data.
If you rely on legitimate interest as the basis for processing then you will have to apply the three part test identified in Article 6(1)(f)
- Purpose test – is there a legitimate interest behind the processing?
- Necessity test – is the processing necessary for that purpose?
- Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
It is not sufficient for you to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing. The key under the GDPR is to identify and document your reasoning.
Q: Can ‘marketing’ be used as a catch-all policy? Eg if we’re marketing different products such as events subscriptions etc., or do they have to give their consent for each product?
A: No if the marketing is consistent with context in which the information was provided and concerns similar products or services then you will not have to get separate consents. The key is the option to opt-out. However, best practice would be to allow the end user to actively opt in and opt out of each product, subscription, service that you provide. Recital 47 of the GDPR says direct marketing is a legitimate use of personal information, which is true. It is important to remember, however other rules also apply for example the European Directive 2002/58/EC, also known as ‘the e-privacy Directive’ (implemented through the Privacy and Electronic Communication Regulations 2003 (PECR) in the UK). PECR restricts the circumstances in which you can market people and other organizations by phone, text, email or other electronic means. So, when sending electronic marketing messages remember – you have to comply with both the data protection law and PECR. You can check the Direct Marketing Checklist and read the Direct Marketing Guidance to get a fuller picture of how to send marketing without breaking the rules.
Role of the Data Controller:
Q: In a breach who is the supervisory authority you report to?
A: You need to identify your “relevant supervisory authority”, so for businesses operating solely in the UK this will be the Information Commissioner. For controllers and processors involved in processing data affecting individuals in multiple Member States, the Lead Supervisory Authority (LSA) is the data regulator in the country in which the controller or processor has its “main establishment” for data processing purposes according to Article 56 of the GDPR.
However, it is not this simple in practice if you are involved in cross boarder processing and have several establishments, therefore I would recommend that you consult the Article29 Working Group Guidelines on Personal Data Breach Notification
Q: We have attended many GDPR webinars and looked for information but have not been able to get any clear guidance on how to set up a good opt-in process. Would like to see templates or examples with guidelines.
A: Consent through Opt-In is governed by both GDPR and PECR (Privacy & Electronic Communications Regulations). Consent is one of the lawful basis for processing personal data under the GDPR. The ICO (UK) recommends the use of privacy dashboards or other preference management tools as a matter of good practice. We are unable to provide specific examples and guidelines as this would need to be tailored to your company’s requirements and professional legal advice should be sought in your member state. However, please see guidance from the UK Supervisory Authority – the Information Commissioner which does contain an opt-in example. We are not able to recommend them but onetrust provide privacy management software that may be able to help you with examples and templates.
Q: Is it possible for one entity to be both a data controller and a data processor? How does this affect compliance obligations?
A: Yes, you can be both data controller of your data i.e. Employee Data, End Users Data, Subscribers Data, Customer Data, etc. you could also be a Data Processor if you then process data on behalf of a Data Controller.
Q: Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?
A: Consent is one of six lawful bases for processing personal information under the GDPR and you will need to consider whether consent is the best lawful basis for processing personal data. The definition of consent in the GDPR is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Explicit consent requires a very clear and specific statement of consent and is often used to represent the second part of the GDPR definition i.e. “by a statement or by a clear affirmative action”.
So, both “unambiguous” and “explicit” consent is required under the GDPR definition whether you are a Data Controller or a Data Processor.
Q: Does my business really need to appoint a Data Protection Officer (DPO)?
A: Under the GDPR, you must appoint a DPO if:
- you are a public authority (except for courts acting in their judicial capacity);
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behavior tracking); or
- your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. You can appoint a DPO if you wish, even if you aren’t required to. If you decide to voluntarily appoint a DPO you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory.
Q: Will the GDPR restrict profiling of data subjects? How will this affect my marketing efforts?
A: The GDPR does not prevent automated decision making or profiling but it does give individuals a qualified right not to be subject to a purely automated decision (Article 22 GDPR). I cannot specifically advise on how this will affect your marketing efforts and would recommend that you seek professional legal advice in your member state. However, for further guidance please see the Article 29 Working Party Guidelines on Automated Decision Making and Profiling.
Q: Does the GDPR also apply if I use pseudonymous or encoded data?
A: Recital 26 of the GDPR is the key here. It states that “the principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person”. So, the GDPR does apply to pseudonymous or encoded data as it could be attributed to an individual. The same recital continues to state that “the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable”. Therefore, completely anonymous data is not subject to the GDPR.
Remember, to receive your full GDPR contract checklist from Head of Legal, Lisa Jordan, please e-mail [email protected]
*Please note, any GDPR guidance we provide does not constitute legal advice, if you require legal advice specific to your business, please consult an advisor or solicitor.