The talk was introduced by Pearlfinders’ MD Anthony Cooper and then moved on to a panel discussion hosted by Rainmaker’s Gareth Dixon with questions aimed at Mike Thorne—Pearlfinders’ Deputy MD and Stefano Debolini, an associate solicitor at Sheridans law firm, who specializes in Data Protection, Intellectual Property and Technology.
There are plenty of detailed guidelines on the topic of GDPR, but two key topics interested me the most.
1. Legitimate interest
2. What to do if you haven’t implemented any GDPR measures yet?
Firstly, ‘legitimate interest’. I got the impression during the session that ‘legitimate interest’ was a subjective term, and wondered if businesses could define this themselves. I spoke to Stefano after the session and followed up with a few emails discussing the matter. He agreed that while it is a subjective phrase, he thought it would take a little time before the industry gets a firm grasp on when it would or wouldn’t be applicable.
Stefano went on to tell me that “while there isn’t a concrete, exhaustive definition of ‘legitimate interest’ in GDPR, we do know there are specific situations where it may apply, such as for marketing, fraud prevention, IT security and similar, because they are specifically mentioned in the regulation”.
While that doesn’t mean we can sit around a table and arbitrarily decide what constitutes legitimate interest, businesses are advised to carry out the following process to define this:
- Identify clearly and specifically the processing involved, and the legitimate interest pursued
- Confirm that the processing is necessary to pursue that legitimate interest
- Balance the legitimate interests against risks to the data subjects involved.
Having completed these steps, it should then become clear whether the data used is proportionate, has a minimal privacy impact, and the people involved would not be surprised or likely to object to its use, in which case we are unlikely to fall foul of the law.
It’s worthwhile bearing in mind that legitimate interests are only one of the lawful grounds for processing personal data. Every business processes personal data in a number of ways such as in marketing, employee data, information about clients and suppliers etc.
Legitimate interests apply some of the time, but often you need to consider whether a different lawful basis for processing is relevant. For example, where you need to process personal data to perform your obligations under a contract, or certain circumstances where you will need to ask for consent.
The second topic raised was what to do if you haven’t implemented any GDPR measures yet?
As the law comes in to play on 25th May 2018, at the time of writing there’s less than one month to go. I got my answer from the panel that summarised things very nicely for me at the end of the session
- Don’t be scared, but do take action. It’s best to start doing something now rather than leave things until after the law has come in to effect.
- Document the entire process from start to finish; what data is stored, how it’s being used and does it (all) need to be retained – you can never document enough!
- Don’t believe the hype. Consent isn’t needed for everything. Asking contacts, customers and prospects to opt in isn’t essential as long as you have legitimate interest to do communicate.
As part of getting ready for GDPR, you will need to update some of your contracts, policies and privacy notices. Occasionally, you might need to tweak the way you do things. The best starting point is to get “the big picture” and find out what personal data you use, and why. The rest will flow from there.
With thanks to:
The team at Pearlfinders for hosting the event: www.home.pearlfinders.com
Stefano Debolini at Sheridans: [email protected]
‹ all articles