We are very worried for some of you. We are hearing from quite a number of customers that other data suppliers are saying their data can be used on the GDPR legal basis of 'consent'. It's not just…
We are very worried for some of you. We are hearing from quite a number of customers that other data suppliers are saying their data can be used on the GDPR legal basis of 'consent'.
It's not just the 'fly-by-nights' either, it includes some of the bigger data suppliers who REALLY SHOULD KNOW BETTER.
It seems that consent has been seized upon by many as the only basis for direct marketing. This is not true. In fact, in most circumstances, it is probably not even the best legal basis for direct marketing.
We can understand how some confusion has crept into the thinking of direct marketers. After all the Direct Marketing Association (DMA), the professional body for direct marketers in the UK has a document called 'GDPR Checklist'. In fairness, there is some good stuff in there, but on page 7, in the section called 'Third party data' point 2 is 'Know whether the consent was recently obtained/updated' and point 3 is 'Make sure that the third party can prove consent'. This implies consent will be a must for third party data. However, point 4 is 'Make sure your organisation was specifically named when the data was collected' which seems to be contradictory, suggesting consent will NOT be a valid legal basis for using third party data. Please forgive us, we cannot link to this document, it is for DMA members only, so if you have access, it is called 'GDPR Checklist', but as you can tell, if you never see it, you might merely have saved yourself some confusion!
And this highlights a very real challenge, namely even the people charged with, and paid for, providing guidance and counsel can't agree, not even with themselves!
None of which helps you promote your products and services to keep your organisation in business of course. But remember, as with everything in GDPR, the data controller (your organisation) is required to demonstrate you have complied with the law, and if you have chosen to use consent as the legal basis for processing, that includes having valid consent. If not, you could be processing personal data illegally.
With GDPR just months away, please, please, please think about this issue. This is what concerns us ...
Consent is now quite tightly defined
GDPR says consent must be 'freely given, specific, informed and unambiguous'.
But despite a tight definition, there is still some ambiguity. 'Freely given', 'unambiguous' and 'informed' are all very clearly specified in the recitals. This leaves the word 'specific', in the first line of the Article. What 'specific' means is not defined more clearly than this, so whilst we have a good idea about the intention, the UK Regulator will need to decide if the consent you have is specific enough.
What do the UK Regulator, the ICO have to say on this matter?
Well sadly the ICO, the UK data cop, is being quite tardy about their guidance, but that doesn't mean you can slack with your implementation (data subjects can sue you too!). They have said they will issue formal guidance on consent in December this year. Until then we only have their 'Draft GDPR consent guidance' issued on the 2nd March 2017 for a consultation period ending on 31st March 2017. PLEASE BE AWARE THIS MAY CHANGE.
Working with this document (you can download it from us free here, and if you are keen to make sure we haven't tinkered with it, you can download it free directly from the ICO here), they mention the requirement to name organisations relying on consent AT THE TIME OF COLLECTING THE DATA on many occasions:
Look at page 3 where the 'specific' requirement of valid consent is explained:
Name any third parties who will rely on the consent.
On page 7:
Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
And again on page 21:
The controller’s identity: you must identify yourself, and also name any third parties who will be relying on consent.
And on page 28, it is stated that consent will be invalid if:
your organisation was not specifically named
On page 29 you are told when obtaining, recording and managing consent, you should:
Include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time.
On page 30:
the name of your organisation and the names of any third parties who will rely on the consent – consent for categories of third-party organisations will not be specific enough;
Finally, in the checklist on page 38:
We have named our organisation and any third parties
There are at least 7 mentions in a 39 page document. It seems very clear what the ICO will be expecting!
'My suppliers says they are naming all companies'
In practical terms, it is hard to imagine how this might be implemented, but in the quest for understanding let's suspend reality for a few moments and perform a thought experiment.
What does that phone call sound like? What does that web page look like, and how long is it?
... never mind, let's swallow the implausibility of this actually happening. On page 7 of the draft guidance on consent, the ICO say:
Granular: give granular options to consent separately to different types of processing wherever appropriate.
This means the data subject must be able to consent to the items they wish to consent to, and withhold consent from other items. NOW what does that phone call sound like? What does the web page look like with all those un-ticked boxes (mentioned many times)? How long does giving consent take?
... and you're back in the room!
The ICO, the UK enforcers, have mentioned 'granularity' at least as often as 'named' in their draft guidance. It is pretty clear what their intention is. And it springs from the underlying principal which is:
Consent means offering individuals genuine choice and control.
Guilty unless you can prove you are not
Remember you have to be able to prove you are 'in no way responsible' if things go wrong.
With that in mind we are going to examine this guidance now, just like you will do when doing your due diligence on data suppliers (you do do that, right?) It might help if you imagine explaining it to The Judge who just keeps on asking:
'Please show me proof you are in no way responsible?'
No B2B data supplier collecting data(*) knows who their data will be used by. Consequently the consent WILL BE INVALID, because it clearly cannot satisfy the ICO requirement; you weren't named when the data was collected. (*) unless you have contracted them to perform a bespoke research task for you.
And just to be clear, you can't get away with this by simply blaming the data supplier either. GDPR is very explicit that everyone is responsible unless they can prove they are not. That means you MUST do your due diligence, how else could you prove your innocence?
Why would a data supplier behave this way?
Obviously no reputable data supplier should. However, they may be:
The data marketplace is changing. Many of the 'fly-by-nights' are just scamming the unsuspecting for what they can get in the next few months. Others are simply lazy, and haven't thought about it in the hope nothing is changing. Still more are waiting for guidance.
The problem is, that doesn't help you!
If you are speaking to a data supplier who says you can use their data on the basis of consent, as the Regulator sees it, they are wrong! And that puts you at huge risk.
At Corpdata we know the ONLY legal basis for using third party lists using the current guidance, is 'Legitimate Interest'. What is more, we will help you do it. We will help you with the documentation you need:
Have you thought about the 'balancing test'?
... or the 'necessity test'?
... what about proof you need?
... do they have call recordings?
... do they hold document scans?
... what about ensuring you get 'rectifications' to the data?
... how are you complying with the 'storage limitation' principle?
The old phrase 'caveat emptor' or 'buyer beware' still applies, trade with charlatans at your peril!
We would be delighted to talk to you about the challenges you are facing, and how we can guarantee your compliance and maintain your results.