Ideas from the team

Category

GDPR: Consent Isn’t the Only Answer

Since publishing this post, we've written a further post that explores how upcoming changes to the Privacy and Electronic Communications Regulations could impact your organisation.

When the General Data Protection Regulation (GDPR) comes into effect in May 2018, it will usher in new protections for individuals, but it will also create new responsibilities for arts organisations and for Spektrix too.

We’re currently taking a close look at the regulations and making sure the Spektrix system provides the tools that you need to meet the obligations under the GDPR, as well as to continue processing data in an efficient, effective and legal manner. We’ll share more about this with you in the coming weeks.

We’ve also been looking in-depth at the GDPR and want to challenge some assumptions about compliance we’ve been hearing – specifically, the legal bases for processing data.

Of course, this is only our interpretation of the GDPR and is not legal advice. We strongly recommend you take your own legal advice in deciding how to comply with the GDPR.

Consent is not the only basis for processing data under GDPR

Much of the sector is rightly concerned about the stringent new requirements for processing data based on consent under GDPR and what these requirements mean for our business practices. Much of the advice available so far places emphasis on granularity, with demonstrable and explicit opt-in for all processing. This is making many of the organisations we work with doubt how they can process data lawfully, while also accomplishing their business objectives of communicating relevantly and respectfully with customers, donors and prospects.

But here’s some good news. While consent has been the most widely publicised, it is not the only basis for lawful data processing under GDPR. In fact, there are six bases. Most don’t apply to our clients, however we strongly recommend reviewing the GDPR concentrating on legitimate interest. The Information Commissioner herself, Elizabeth Denham, has recently published an article to encourage businesses to look beyond consent for processing.

“While consent has been the most widely publicised, it is not the only basis for lawful data processing under GDPR.”

Legitimate interest has very different requirements to consent. Essentially, it requires a data processor to balance their own legitimate business interests against the privacy interests of the individual for each type of processing in which the business engages. As an example, explicitly referenced GDPR in Recital 47, direct marketing activity falls under legitimate interest. Our reading of the regulation is that activities like donor communications and basic donor research are also covered, provided these activities are accurately described in a privacy policy.  

This isn’t to say that getting consent isn’t a useful and necessary basis for processing data in some cases. For example, consent is necessary when the effect of data processing has the potential to harm the individual. You also need consent when the balancing exercise required for legitimate interests indicates the interests of the individual are at odds with or outweigh those of the business, due to the harm it causes the individual. This could include data mapping to discover and use unshared telephone numbers, or using data which impacts the privacy of children.

However, the types of processing arts organisations typically engage in have very minor negative impact to most customers – and in fact in the majority of cases it can be a positive one. On the scales of legitimate interest, you can easily make the argument that the majority of data processing activity by arts organisations falls under legitimate interest.

“On the scales of legitimate interest, you can easily make the argument that the majority of data processing activity by arts organisations falls under legitimate interest.”

Our recommendation: base compliance on legitimate interest

Every organisation needs to make its own determinations about consent, and how to address the organisational risks and trade-offs of their chosen approach. However, we believe the majority of data processing engaged in by most of our clients falls within the scope of legitimate interest and that our clients should shift from a focus on consent and consider basing their compliance on legitimate interest.

For more information on consent and legitimate interest and on finding the right approach for your organisation, we recommend these helpful resources:

The latter provides an excellent framework for reviewing your specific data processes and determining if legitimate interest is applicable to each.

We strongly recommend that all the organisations we work with make this determination prior to developing a data processing plan, deleting or modifying any data or updating consent settings and policies.

“Every organisation needs to make its own determinations about consent, and how to address the organisational risks and trade-offs of their chosen approach.”

5 steps your organisation can take

Here are five other steps your organisation can take to prepare for GDPR:

  1. Create a data protection working group for a joined-up approach across your organisation including representatives from development, marketing, leadership and a lawyer or board member.
  2. Carry out a data audit to identify the data you’re keeping on individuals (customers, employees, students, etc.) across the organisation and in what manner it is being processed.   
  3. Determine which legal basis you’ll use for each of the ways you’ve identified data is being processed.
  4. Make and document a plan to demonstrate that you’ve considered data protection across the organisation and made considered choices about your approach.
  5. Create or update a public privacy policy. For more information on this, see the ICO’s guidance.

Our next steps

We’ll be publishing guidance and advice, and providing various resources, to help you prepare for GDPR. There also may be minor changes to Spektrix in the coming months to make sure the system helps our clients to comply for all the legal bases. We’ll share more information on this soon.

Keep in touch with us on GDPR via the blog and the Support Centre where we’ll be publishing all our updates. In the meantime, if you want to talk through GDPR with us, get in touch with the Spektrix Support team.

Note that this article is not intended to construe legal advice or offer comprehensive guidance.