Consent is not the ‘silver bullet’ for GDPR compliance

By Elizabeth Denham, Information Commissioner.

Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).

Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.

Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.

Last week I set the record straight on our new fining powers.

My second blog tackles an equally high-profile issue – consent.

Myth #2

You must have consent if you want to process personal data.

Fact:

The GDPR is raising the bar to a higher standard for consent.

Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

This has understandably created a focus on consent.

But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.

The rules around consent only apply if you are relying on consent as your basis to process personal data.

So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.

Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.

Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.

Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.

Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.

The new law provides five other ways of processing data that may be more appropriate than consent.

‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working to publish guidance on it next year.

But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.

Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.

But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.

Fact:

I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.

Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.

Our series will continue next week.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , , , . Bookmark the permalink.

90 Responses to Consent is not the ‘silver bullet’ for GDPR compliance

  1. Thank you for these posts. I find them useful.

    Assuming that this series is designed to further clarity, here is a question I know is highly topical which would really benefit from further exploration. It’s to do with ongoing sales/marketing communication with prospects and customers for commercial B2C organisations.

    I’d like to explore how “Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject” works in this context.

    As a potential basis for lawful processing, my take away from the intent of this statement is that the interests of a data subject, for instance a consumer, trumps the interests of an organisation such as a brand. Sales and marketing interests are subordinate to those of the consumer. That’s what it communicates to me.

    I have no personal issue with this since the volume of digital comms is increasingly out of control and getting worse.

    If so this leaves consent as the only other obvious basis. One that I think more effectively resets the balance of conscious give and take between brands and consumers in the right way – it becomes a cycle of ‘rent not keep, ask often, provide value, receive permission to continue’ etc

    If this is right then it would be useful to clarify this since much current practice is quite the opposite and the whole process of funnel management will need to be redesigned. The earlier the better.

    Hope this inspires a response.

    • Guy Pyetan says:

      I read it the same way you did and I think your description of a cycle of ‘rent not keep, ask often, provide value, receive permission to continue’ etc is apprpriate but I would add, be transparent and communicate. I think the recruitment industry (along with the marketing industry) is in for a wake up call as well. Perhaps we’ll move back to higher quality recruitment and the reinstitution of good old fashioned relationships with skilled business developers and recruiters at work once more.

      • Guy, I agree there are certain sectors that are addicted to quantity over quality. Recruitment is a prime example. Optimising the blend between digital workflows and the human touch is another skill that is yet to be broadly learnt

    • Barry Shiel says:

      “Necessary for the purpose of legitimate interests pursued by a controller or third party, except where such interests are overridden by the interests, rights or freedoms of the data subject”

      Well this is very interesting, any response on this Elizabeth Denham?

      • Andy Hartman says:

        Yes, the ‘legitimate interests’ clause is what seems most murky to me and my co-workers right now so would love to see an in-depth explanation on how this functions.

        It’s also telling that Denham ends her blog by saying, ‘Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.’ Clearly she is acknowledging there is a hunger for more guidance on ‘legitimate interests’ as well as consent.

  2. Ad van Loon says:

    Great evaluation. And to the point. It was needed after ICOs earlier confusing communications on consent. Just one correction: the GDPR came into effect on 24 May 2016 and therefore it can already be applied, at least in part, by courts in civil procedures.

    • Neil says:

      Strictly speaking, it didn’t.

      Somewhat unhelpfully, EU regulations ‘enter into force’ when they’re passed by the European Parliament (if they set a date) or 20 days after they’re published in the Official Journal of the European Union (if they don’t) – not when they’re actually enforced.

      So, the GDPR came into force on 24 May 2016 and comes into effect on 25 March 2018. (See Article 99.)

      This has, understandable, caused a great deal of confusion. Some people think it’s already in force, some think it’s not in force until next March.

      Roll on the 2018 DPA, say I.

  3. Pingback: The Principled Data News Review | The Principled Algorithm

  4. Simon Ghent says:

    Another great blog post that will come as a blow to some “experts” who are creating nothing but an environment of confusion and misinformation.

    Please keep these up. LinkedIn and other business sites are full of #GDPRubbish and my time is being increasingly taken by unravelling the bad advice organisations have been given and in some cases acted on.

  5. Chad Colby-Blake says:

    It is a wonder that this concept of consent as the only lawful basis of processing does persist. I’ve not come into contact with an advisor, though, who has insisted. I understand the lay person for thinking this as they can only deduce requirements by what they experience and in a good many cases they are not given sufficient, clear information on the lawful basis for processing (their) data and why they are not always asked to provide consent.

    • Chad, I think it easy to understand why people mistrust what brands do often covertly with their data in addition to legitimate reasons already mentioned. Most ignore it as the price of being connected. GDPR reintroduces the notion that a person has a right to privacy which is something we have been persuaded to let go of as the price of being online. One of reason brand trust is at all time lows.

  6. Pingback: Nine months and a lot more b*llocks to go before new UK data protection rules kick in | Crawfordwise

  7. Manoj says:

    Will ICO’s guidance be specific to organisations operating (business & customers) within the UK or will it consider organisations having Global and Eu presence?

  8. Pingback: Nine months and a lot more b*llocks to go before new EU data protection rules kick in | Crawfordwise

  9. Samuel Allan says:

    Hi Elizabeth

    Your headline looks a bit like the fake news you are trying to deal with

    Consent is not the ‘silver bullet’ for GDPR compliance…

    …Unless you are a marketeer!

    Having worked with CASL as well as GDPR this is a very confusing headline

    The content is clear and I understand what you are trying to say, but sorry, your headline could have marketeers doing the headless chicken to work out “WHAT IS THE SILVER BULLET”? Am I wasting my time with Consent?.

    Hope you get my drift

    Sam

    • nomadsquire says:

      Potentially, Sam, yes, you are – it depends. Look at all the legal grounds for processing personal data, not just ‘consent’. I suspect you will find others that are better for your organisation. Weigh up your options by taking into account ‘cost of implementation’ as well as the ‘principle of proportionality’. If you can’t figure it out, seek advice (for example from priviness – the de facto standard of the privacy of business)

  10. sylvia says:

    I have taken beaches of the dpa several times to the ico they have found the beaches but refuse to take any action telling me I can take the matter to court whilst no one knows or will say the correct firm to use and whilst this does not resolve the issue of authorities with old information we are entitled to often hiding evidence of abuse and neglect especially when the sar relates to care homes gp surgeries la and ccg the Issue is not then just the beach but the continuation of witholding information we have a right to have and lying about the fact they hold the information I have written to ms Denham several times about this type of deliberate breach that involves no penalty so no incentive to comply just a lot of time wasting and abuse of people’s so called rights authorities delaying such requests giving them time to hide or destroy evidence info ms denham did not answer any of my letters

  11. Pingback: Consent is not the ‘silver bullet’ for GDPR compliance « Data Protection News

  12. Pingback: GDPR will change data protection – here's what you need to know - Cloud Hosting London

  13. Pingback: GDPR will change data protection – here's what you need to know - Reseller Hosting London

  14. I am based in Mauritius and follow this blog with much interest. Miles away from Europe, the nation is very much affected by the GDPR due to the large business process outsourcing industry and also the fact that it signed Convention 108 last year. I would like to hear about how exactly would the GDPR be legally enforced in a court of law within jurisdictions outside of the EU.

    • Franz says:

      The GDPR as such will not apply to processors outside of the EEA, but personal data can legally be exported and processed only to like-minded states having similar laws and supervisory authorities capable of enforcing rights and punishing abuses.

      • nomadsquire says:

        Sadly, Franz, it will apply to organisations outside the EEA, when the personal data that is being processed is that of data subjects within the EU

      • Simon Clark says:

        Franz, it does apply, and if your data such as payroll or HR is outsourced to a country without data privacy laws, then you’ve got to find a new supplier, or run the risk.

  15. Stewart Lowthian says:

    Having read through the draft guide on consent I’m intrigued by the box at the top of my monitor that says “We have placed cookies on your device to help make this website better. WordPress cookie policy ” followed by a box labelled “Close and accept”. This appears to be coercion disguised as consent.

  16. Scott Brown says:

    Dear Elizabeth,

    Can I just ask, where in the wording of either PECR or GDPR Directives does it state you have to name any third party organisation within the opt it statements and that precisely defined categories will not be acceptable? …..which is what you have clearly outlined within the ICO’s Draft Guidance for consent?

    Within the PECR directive point (89) it mentioned you can specify industry types.

    If named organisations is the route that will be confirmed then that has huge ramifications for the UK economy as a whole.

    Do we need to wait until December before this is made clear?

    Kind regards

    Scott

  17. Darren Revell says:

    Any views on the Honda fine mentioned on other posts. I can’t speak for the full accuracy of my statement but other seem to be implying Honda was fined £13000 for emailing its clients to say GDPR is coming do we have your consent past that date to mail you again. In this case, Honda may have presumed they had both consent and/or legitimacy if they were just checking in with past customers in readiness for GDP compliance.

    If you are trying to bust myths then why was checking back with past clients worthy of a fine, given Honda has a very niche and loyal customer base in the car world it seems a bit harsh.

    • Tim Turner says:

      Honda were fined for breaching PECR, which is specific legislation related to electronic marketing. It’s impossible to consider the impact of GDPR on marketing without looking at PECR and its successor (still being negotiated).

      • Johnno says:

        Honda contacted their entire database of past customers, even those who had opted-out via electronic means. So the fine was imposed as they acted against those individuals’ wishes and complaint(s) were made – potentially only one complaint though!

      • Johnno says:

        Sorry, I’m wrong there…they just had no evidence of opting-in.

  18. Pingback: GDPR will change data protection – here's what you need to know - ANDROID7UPDATE.COM

  19. Pingback: Fancy Guppy | You can’t opt out of the General Data Protection Regulation (GDPR).

  20. David Rose says:

    Any Chance of a blog (or maybe someone can point me to an existing one) giving some help as to what a micro business (less than 10 employees more likely less than 5) dealing only with B2B should be doing and what is the best way to do this without really requiring any further (human) resources than the business would already have? Micro Businesses, by their very nature, tend to have one or two directors who wear every hat – accountant, book keeper, IT guru, salesman, delivery driver, tea boy etc please don’t tell me we now have to be GDPR experts as well ?

  21. Guy Pyetan says:

    David, I don’t know of blogs though I am about to start one. I am by no means an expert. I am however GDPR trained and have been heavily involved in regulatory compliance in the past. As is usual with these things I would suggest you attempt to hit the main points first. You employ people. They have data rights and under GDPR you have to be able to demonstrate that you have their information protected but accessible on demand by them and them alone (don’t go releasing their info to any old Tom, Dick and Harry). If they make a request of you to find out what information you hold on them then you need to be able to pony up that information within a reasonable space of time. You need to be able to respond within a month to a request for a SAR and thence to provide the information reasonably. Obviously as a micro business if you haven’t got the systems or facilities to provide some sort of portal access then I would suggest you create a lightweight policy around this. E.g. if they want to know what you hold on them then you can provide it ideally in electronic form but failing that you can make a space available for them within the workplace and provide them with their original records during work time (if they’re all paper based). Alternatively you can post the records to their home addresses registered/tracked via reputable providers.
    As to storage of HR related data make sure it’s stored on encrypted drives and that you know where it’s stored (legal jurisdiction and ideally physical location) and consider changing storage providers if they can’t tell you this information. If you store it on site using your own equipment then make sure that the storage you buy encrypts the information (You can buy usb sticks and hard drives which do store and encrypt the data). If you use such devices then when not in use ideally lock them away in a safe or something. Make sure that only employees who need access to the data to carry out their jobs can process it. Make sure you have a policy which you follow to manage this and that this policy is written down and that everyone knows what it is. I would suggest you also institute clear desk policies.

    E-mail. All sorts of stuff gets put in emails and typically one has large histories of it. If only a couple of you have access to such information then it’s less of a problem but still. I would suggest that the best idea is to archive all bar say the last few weeks of emails (unless you have some longer term projects in play which you need info trails for). Encrypt them and store them off line or certainly in secure online encrypted storage (with the same caveats about physical location/ownership as I made earlier) which you have a policy for gaining exposure to.

    I would certainly do some checks (by searching generally) in your emails to make sure that personal and business emails don’t contain personal data that could fall foul of the rules. If they do then either sanitise the data or delete the email or archive it. The beauty of deleting it is that when somebody asks what info you hold on them you then don’t have to search history to find out. You may not be able to cite difficulty in getting the info or if you do the reasoning might not be accepted.

    Mobile phones. Make sure that you have only business related contact data stored on business mobiles and nothing related to the business on personal mobiles. If you share them then you have a problem. I would suggest that you separate the two or try to find an app that securely stores contact information (e.g. encrypted contacts app password protected and at least 256 bit encrypted. Do not store business contact details on your personal phone intermingled with your personal contacts and vice versa). Even then I would be careful of the details you take down. With GDPR the rule is minimisation – store only what you absolutely need to get the job done. Simplify and minimise.

    I will get onto the controller processor relationship in time. I have some other stuff I need to do but this gives you a basic high level start.

    Oh and before I forget don’t forget the PECR rules which sort of go hand in hand with data protection and GDPR (they’re 11 pages).

    To me the basic golden rule for all of this stuff is minimise the information you hold on people. Separate personal and business information so that never the twain shall meet. Always ask yourself what you’re grabbing at personal information for and why you’re holding it? if you haven’t got a good reason then its probably best not to hold it. My business can’t function unless I have that data for the following reasons …. is a fairly good reason. If you have to hold personal information then make sure you can find it within a reasonable amount of time because if the person to whom it refers asks what you hold you are pretty much legally obligated to supply it free of charge within a reasonable amount of time. if you hold personal data make sure you know where its stored and who owns it and who can get access to it. The golden rule is only those who need to to carry out their jobs and meet the need for access requests from the data requestor. Make sureyou have policies and processes in place for the management of data usage, storage and access requests and make sure they’re fit for purpose, documented and that everyone who needs to knows what they are. You should be doing this anyway if you’re running a tight ship.

    Remember I’m typing this info into a tiny little box and I’m giving loose high level guidance. I take no responsibility for the guidance I’m giving and you follow it entirely at your own risk. That said I hope it gives you some help.

  22. Ally says:

    I don’t understand how as a lay person how this relates to public bodies like the NHS, councils and schools. Nor even with the current PECR or DPA itself.

    • nomadsquire says:

      Ally – GDPR affects every organisation, including public authorities (such as NHS, councils and schools, etc). These bodies all need to look at the legal grounds for processing personal data of individuals, which may or may not include ‘consent’, and there may be more than one legal basis for processing personal data. priviness (the de facto standard for ‘privacy in business’) may be a good first point of call for you if you are seeking expert advice on the matter

    • Anonymous says:

      Schools indulge in far more data processing & external sharing of personal data relating to kids (name/address/DOB/ethnicity etc) than they make obvious. This is all done on an ‘assumed consent’ basis at present.

  23. Darren Revell says:

    Can you put out a definitive blog that B2B contact data is not covered by GDPR rather it is covered by PERC soon to be ePrivacy.

    The amount of GDPR pundits who have said GDPR applied to company contact data because you can identify that person by their name so identify a human is just getting ridiculous.

    People are literally being told to delete their B2B contact data and it is why GDPR is being misunderstood as a law that will stop trade.

    • David Rose says:

      Darren – this is exactly what we’re being told (by some prominent people e.g SalesForce). I’m at my wits end here as there’s no way we could stay in business without access to all the historical client B2B data – both contact and other. None of it is personal data, just communications from humans in the course of their business.

      • Darren Revell says:

        Yep clear as mud. I have already had replies to say I am wrong. Which is cool I dont care if I am wrong. I just want the correct advice.

    • Charles Bagnall says:

      Darren, both you and the pundits have a point. if I order goods from your company you can keep my data on file to enable you to fulfil the order and any subsequent orders. provided you only store the relevant/appropriate data there is no need for you to archive all your sales ledger / purchase ledger names and numbers. But should your marketing department suggest that you contact all people who have ever ordered anything from you with a sales message about a new product, even in a B2B context, then that may be challenged by those who have not given explicit consent for this. They gave you the data for the purposes of processing the sale, not for future marketing purposes.

  24. Anonymous says:

    I think that basic business communications data is fine if it’s available generally in a business context. What is not fine if you start holding onto itemsnconnected with it. E.g. work phone number and name and company name is fine. But sex, age, sexual prefernces, marital status, religion e
    Ethnicity isn’t without specific permission and good reason to carry out specific processing for a period of time for a specific purpose with consent. If you hold those additoonal bits of data then you need to go to town on protecting them and ensuring that only those people who should have access for the specific stated purposes for which consent was given can gain access and nobody else unless were dealing with specific special cases such as law, tax, health etc. and even then utmost efforts should be made to ensure its only used for the specifc purposes and that its protected to hell and back and so on.

  25. Guy Pyetan says:

    I suggest you take a look at the document produced by the Ico entitled what is personal data. Ostensibly. If it can be used to glean facts about an individual, either directly or through processing, then it’s personal data regardless of whether it’s b2b or otherwise. So a name and business phone number might not be if theyre published on a company website but will be if not. I suggest you also look at this stream on the dpa which had the same issues http://www.seqlegal.com/blog/what-personal-data. Legitimacy of processing is important and some of the answers are enlightening.

    Imho the following basic premises hold.

    Don’t hold data unless you absolutely have to.
    If you hold it make sure you have a damned good reason for holding it and that you have a specific task in mind.
    Unless you have a legal reason to e.g. legal record keeping requirement. Hold the data only for as long as you need to.
    Capture the barest minimum.
    Look after it very carefully and make sure you have taken steps to ensure that only those who need to process it for the stated purposes can do so.

  26. David Rose says:

    > work phone number, email, name and company name is fine

    They’re the important ones for most B2B and where the confusion is arising.
    Outside of the medical profession (and employee records) I can’t think of many B2B transactions that would involve sex, age, status etc unless one of the B’s is also a B2C.

  27. Tim Roe says:

    If you process, work phone numbers, email address, name and company name, you are processing those individual’s personal data. Once that hurdle of understanding has been cleared, then a business can start to plan how it is going to comply with e-Privacy and GDPR.

    The ICO and the DMA websites have guides on how to comply with the GDPR. The ICO guides especially, are very comprehensive. I find them a great help when, for example, deciding whether the data you process is personal data or not. If you are confused about anything, then you can ask the ICO, via email, telephone and even web chat.

    I can completely understand why there is confusion, data protection law can be complex. There is much content being written based on hearsay or things written in other blogs, that causes this confusion.

    For those organisations that don’t have the internal expertise to manage GDPR compliance and who are hesitant to bring in a third party, taking time to digest the ICO guidance on the subject, would be time well spent.

    Here is the guide on personal data. Although it is related to the existing law, if it is included here, it will be under GDPR.

    https://ico.org.uk/media/for-organisations/documents/1554/determining-what-is-personal-data.pdf

  28. Pingback: The Integrate Agency CIC | ICO – Don’t wait for legitimate interest guidance before GDPR

  29. Franz says:

    I think that data processing for commercial reasons should be forbidden altogether, not regulated. One day we will get there, the GDPR is a waste of time.

  30. G S GILL says:

    As GDPR is due to be rolled out in May2018, I believe it will make a significant impact on future organisational behaviour around personal data, it’ll encourage teams or in some avenues force them to use the data in a precise manner. GDPR elements may not be silver bullets or more like they may be rubber bullets, but if the organisations aren’t careful the rubber bullets may leave a painful bruise on your brand identity. Especially, if you are in NFP sector.

  31. Guy Smith says:

    Dear Elizabeth,

    Thank you for posting some guidance – it is good to hear some clarification from the ICO.

    Speaking as one of the people who would like to “get it right” – I would greatly appreciate it if the ICO could provide some examples to illustrate what it considers to be legitimate interest with opt out.

    I believe some of this confusion arises from statements like that on page 3 of https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

    Namely “consent requires a positive opt-in” – using that specific wording indicated to me that consent could only be acquired through an opt-in statement, not under the legitimate interest consent basis with clear opt outs.

    Admittedly I should probably have thought of the alternative methods of consent – but I hope you can see how that wording might confuse people.

    But clear examples would help to clear up this confusion – please do give it some consideration if you are able.

    • mwapemble says:

      You seem to be confusing the lawfulness of processing under consent, and under ‘legitimate interests’? The only way to gain consent will be a positive opt in – see GDPR Recital 32 and Article 7. You cannot rely on the Article 6(f) “legitimate interests” to weaken the requirements for gaining consent, although you can rely on it on its own, having applied the balancing test.

      • Anonymous says:

        Having spoken to several heads, governors & administrators, some schools will rely on the ‘legitimate interests’ argument rather than try and obtain consent, which they will fail to achieve across their entire pupil (data subject) population. This argument won’t fly where it is being used to make life easier for the data controller.

  32. Andrew says:

    ‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. … We’re working to publish guidance on it next year.” (From myth #2)

    “Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests…” (from myth #3)

    Eh?

  33. nomadsquire says:

    Another thought-provoking blog from the ICO, and very much appreciated. The issue of establishing the correct legal grounds for processing personal data is one that organisations should get to grips with quickly, as time is running out… there are only 269 days till GDPR is enforced, which is actually about 140 working days (give or take). Priviness (the de facto standard for ‘privacy in business’) has developed a lot of templates that will make it much easier for organisations to demonstrate compliance with GDPR, especially taking into account which of the legal basis is most suitable (there may be more than one). Those that “live by ‘consent’ will die by ‘consent'”. Those that rely on ‘legitimate interest’ will face a potential backlash if their PIA conclusions are not robust. And without going through all the available legal grounds, those that argue ‘legal obligation’ will probably have the strongest case (again, if their contention derived from their PIA findings is sound). The GDPR is quite clear, but, just to re-iterate, you only have about 140 to sort it out, and start to respect the privacy of individuals whose personal data you are processing…

  34. I have not seen anything by any official organization, ie the EU, the ICO and arguably the DMA, that says that B2B data should be treated differently to B2C. If anyone believes it is excluded from either PECR or GDPR then please point out which EU or ICO text says this.

    • David Rose says:

      I’d like some official explanation as to whether a B2B Customer’s work email & work DDI phone number is personal data or not. Some say yes and some say no, but I can’t imagine how any business can survive without this info and it seems odd to be counted as personal when it’s often in the public domain as contact info on the customer’s web page – or maybe we shouldn’t be allowing our prospects to contact our employees at all 🙂

      • Brendan McGrath says:

        Hi David.
        I am a recently certified EU GDPR Practitioner and discussed the very same type of query during my training so understand your frustration and confusion. As I am unsure what your business is then I can only summarise to your query. If you are a Direct marketing company then quite simply you current business model will become extremly risky after May 25 18. I am speculating you aren’t DM.
        B2B data is as you say, in the public domain, so in principle is not specific PII like a personal email or personal phone number etc is. You should be able to process the B2B data in a lawful manner as per legitimacy principles. It simply boils down to being respectful of someones data and sensible to how you process and protect that data.
        If you are using it for profiling and targeting an individual then you are going to potentially fall foul of GDPR but if you are using the data for legitimate contractual purposes i.e. conducting your general day to day business between you and the customer that the individual works for then that is fine.
        A way we summed up was if, for example a sole trader was using a hotmail.co.uk address then it is fair to assume that this email address is also used for personal purposes as well as business (public domain) purposes so is specific PII. If your customer is a company called Bloggs Widgets and the individual you are dealing with is using a more business specific address such as bloggswidgets.co.uk then is is fair to assume that this is public domain data so shouldnt fall foul to GDPR as long as you have legitimate reasons for dealing with the individual for contractual purposes. In the latter example I would make assumption that the employer has a policy in place that forbids the use of business email for personal purposes. A practice that needs to be brought more into good Information Security business practice.
        Employees (both yours and that of your customers) do have a right to know where thier PII (public domain or not) is being sent so a focus is advisable on informing staff (in a lawful manner that doesnt go against GDPR rights and principles) about how thier data may be used. Bear in mind you will also be a customer of another company so you need to be assured that your PII (public or not) is being processed in a secure and lawful manner.
        As you can see GDPR is a big can of wigglies being opened but does not need to be daunting or overbearing as long as you already carry out good practice of existing DPA regulations.
        The ICO (and GDPR) do not want to put anyone out of business but we all have to be significantly more aware of how we process PII in the future. Hope this helps clarify the muddy GDPR water for you a little.

  35. David Rose says:

    Thanks Brendan, that’s very useful. I’m a software company and we sell software used to run businesses in a very narrow vertical market. So none of our customers or prospects would be individuals. One thing that is interesting though is that even in big companies we find that certain people will use a gmail address for the convenience – i.e they email us out of (their office) hours but want to pick up the reply on their phone, so will use a personal email. Not sure what to do in this situation as it’s important (for us and them) that the information given in the email exchange is recorded for future reference i.e giving them technical instructions to get them out of a fix.
    We don’t use any data to profile humans, only to record what was said.

    • Brendan McGrath says:

      Your welcome David.
      Along with my shiny new GDPR hat I am also an IT Security professional and what I would always say about the use of GMail or any other “personal” free email domains within a business environment is simply “don’t do it!” for number of reasons. To name a few, it is generally bad practice, it is another vector prone to cyber attack that you have little to no way of controlling, you have no legal means of monitoring and/or controlling where your company data is going and with GDPR now, if you have PII being sent via email, as a Data Controller/Processor, you have the added headache of being responsible for where the data is stored. You will find it difficult to confirm that the data is stored on EU data centres (UK data centres after Brexit possibly) but should a breach happen in the free email service (which can and does happen), then it is you that is liable for any fines regarding the data you have allowed to go out.
      My suggestion would be to use a hosted enterprise email environment with a domain name of your company and allow staff to connect to that outside of the office. Solutions such as Office365 subscriptions are very reasonable (and also take away the headache of running an on premise exchange). O365 is also GDPR compliant now.
      By “only record what was said” are you meaning recording voice calls? If so that is yet another new can of wigglies as that can fall under the remit of biometric data, (the new kid on the DP block). I am just in the process of clarifying how a company will handle call recording come May 18 as it is categorically not allowed to use the old “We record for training and monitoring purposes” message after May 18 as the balance of power is firmly in the hands of the recording company and not the data subject so no explicit consent is able to be given. We are looking at an automated message that explains the recording reasons and then gives an option of i.e. Press 1 to allow recording.
      For law enforcement purposes then recording is allowed though.
      As you can see it is difficuly to give an example one size fits all answer for GDPR as every business is different which is why I would recommend training (I am not affiliated to any training) or the use of GDPR Practitioners as a minimum (As mentioned previously I am a Practitioner and looking for contracts :-))
      Again I hope the mud is clearing a little more lol.

      • David Rose says:

        Hi Brendan
        I think you misunderstood, I was saying that our customers will use a personal email to contact us when they want an out of THEIR business hours response, not that we use a personal account to send from.
        As for recording, no I meant documenting the conversation e.g you email me with a problem, I email you back with a solution. I need to keep a record of both of these.

        Finally, as for you “we record for training….” conundrum, surely all you need to do is extend the message with “… hang up now if you don’t give consent” 🙂

      • Brendan McGrath says:

        Sorry David, I did misunderstand you.
        Documenting is fine as long as you look at your data retention policy. You can keep data for as long as you like as long as you have a fair and/or lawful reason for keeping it for the length of time you want to keep it. Bear in mind if it is PII then the Data Subject has a right to know how long and why and also in “some cases” the right for it to be deleted. GDPR is very much about looking at what you currently do and documenting what and why you do with PII so that should the ICO need to knock on your door, you can show them decent records and control.
        As for your solution to my “We record…” issue. Oh how I would love to do that lol. Unfortunatly that would breach GDPR as we would be refusing service unless we got consent (forced consent). We could at least all go home as there would be no work to do. Yay! pass the Gin.

      • David Rose says:

        >As for your solution to my “We record…” issue. Oh how I would love to do that lol. Unfortunatly that would breach GDPR as we would be refusing service unless we got consent (forced consent).

        This is interesting as in my experience (as a consumer) recording the conversation (whatever the reason given) actually protects the consumer. I can think of numerous times when I’ve been given wrong advice by a company and when they have later listened to the recording, they have confirmed that they were at fault. The more I look in to it, GDPR seems to have been designed by a committee who have no grasp on the real world.

      • Simon Clark says:

        Brendan, according to the Microsoft Trust web pages, data on UK subscribers are hosted on servers in the UK for Office 365 and Dynamics 365 but also…the United States !! Please correct me if I’m wrong, but it is my belief that no data exchange policy currently covers the USA and therefore this is an issue.

        This webpage may prove useful: http://o365datacentermap.azurewebsites.net/

      • Simon Clark says:

        Sorry, quick update: if you use Microsoft Sway or Yammer, then that is stored in the USA…

      • Brendan McGrath says:

        Hi Simon
        Thanks for the update. I have my man at Microsoft looking into this for me. Do you have any references you could link me to to confirm this please.
        As the US is regarded as an adequate country I wouldn’t be too concerned about Yammer and Sway but it would be nice to have all data reside in the EU.

  36. Thanks very much Brendan for your input. Sorry to persist but from your answer it seems to me that all cold calling, both B2C and B2B, will effectively be banned, is that right?

    • Brendan McGrath says:

      Pretty much Peter, for Direct Marketing purposes if the Data Subject hasn’t given prior “explicit” consent. So DM companies need to get a wiggle on to obtain consent from the DS before May 18 and ensure they (the DM) give clear and precise detail of what they intend to do with the PII of the DS along with an easy method for the DS to opt out.
      Each business is different so it is difficult to give a one size fits all answer but if you are a DM company then your current business model after May 18 could be quite risky.
      For non DM companies it is a case of deciding what you need to market and how you do that without breaching a DS’s rights. SO is the PII you have personal or is it a legitimate means of contacting the company that you are trading with.
      The B2C is fairly straightforward, B2B a little more cloudy so I would look at doing an Information audit to Discover, Protect, Manage and Report on what data you hold.
      Unfortunatly a small text box on a blog is a difficuly place to explain all that is required.

      • Thanks very much for your input on that, Brendan. Hopefully the “authorities” will come to their senses and exclude B2B as that would otherwise have a very damaging effect on the economy. As for waiting for the ICO to clarify anything, I wouldn’t hold your breath if I were you – they don’t seem to be great at clarifying anything, they don’t even get involved in comments on their own blog and leave it to you to answer!

  37. David Rose says:

    Peter Connell, if it is, then I’m guessing that it won’t be for our US based competitors, which will immediately give them the upper hand.

    • Hi David, actually according to the EU the rules apply to anyone in the world marketing to EU citizens. Quite how they will enforce that I don’t know. Also, what’s not clear is whether it applies to, say, a US citizen working in the EU, or an EU citizen working in the US??!

      • David Rose says:

        Interesting, so if I cold call Bloggs Engineering Ltd and ask to speak to the production manager – then I’m not marketing to a citizen, but if I call and ask to speak to Joe Bloggs, then I am ?
        Clear as mud.

      • Brendan McGrath says:

        Just to clarify (its the OCD in me) It is anyone dealing with EU “Residents”. Even if someone is from a country outside the EU i.e. a refugee or foreign workers. They are covered by GDPR so the non EU country has to treat the PII with the same respect. This is why International PII dealings have to be dealt with under adequacy requirements as GDPR imposes restrictions on both Data Controllers and Data Processors with regards international PII transfers. With regards to tourists, the jury is still out on that one so I am hoping the ICO will clarify the tourist situation in due course.

  38. Hi David, yes indeed, and no one in authority (ie the ICO, DMA, EU…) seems to care.Even though, according to their website: “The ICO is committed to assisting businesses and public bodies…”. The phrase “Cloud cuckoo land” comes to mind.

    • I’d agree it has been disappointing given the wealth of specific questions generated from this single thread that no one has seen fit from ICO to generate and therefore spread greater clarity by given a regulatory view. Looks like we are heading towards ‘ignorance by default’ underpinned by paid for certainty from freshly minted GDPR consultants

  39. Jason B says:

    David, With regards to your questions relating to B2B email. GDPR does not differentiate between B2B or B2C. If an email address can identify or start to identify a natural person – it’s personal data and therefore covered by GDPR. i.e firstname.lastname@company.com. You then have to choose a legal basis for processing / holding this personal data. Communicating with that individual via email or telephone is separate and covered under the ePrivacy Regulation (in draft). Many will choose legitimate interest as a basis for communication with previous customers via email whilst some will choose consent. GDPR compliant consent would be a watertight basis. You’ll find nearly all email service providers and marketing automation providers now insist that any email addresses uploaded and fully opted in as part of their terms and conditions (due to GDPR liabilities for both the processor and controller).Thus you might find you’ll have to adopt a consent model for B2B email anyway

  40. Pingback: data it law August 2017: consents under GDPR & the lawfulness of web scraping - data & it law

  41. Pingback: GDPR will change data protection – here's what you need to know - Shared Hosting London

  42. Julie says:

    A questions re legacy data and what constitutes a ‘marketing email’. A company sends a regular newsletter to individuals who have used their comparison service that has a mix of valuable articles and promotions. Recipients opted in to receive the newsletter but it was a pre-ticked box previously. (This has now been changed). An unsubscribe link is included in every email. Is this ‘legitimate interest’?

    • Mike Broadbent says:

      I think this paragraph might answer that question:

      “Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”

      I reckon you’re on dodgy ground with ‘legitimate interest’ when using data originally collected under non-GDPR compliance, no matter how valuable the articles and promotions you deem them to be. If someone complains about receiving that newsletter it’s going to be up to the business in question to prove that the interest is legitimate – and who on earth wants to jump through those hoops?

      No, I suspect that those of us who have been carefully building our mailing lists and sending out high quality content (which NEVER gets marked as spam) will just have to start all over again… the potential damage to perfectly well-run businesses is huge with the GDPR burden.

  43. David Stevens says:

    I would like to know what the status of PECR will be post May 2018. It’s still going to be on the statute books, yet most of it seems to be covered by GDPR. Yet it would seem we would still need to be very mindful of it, as the charities doing the wealth profiling found out to their cost.

    • Hi David, PECR is specifically about electronic communications and tracking thereof. So, that includes cookies, website tracking and even email tracking. Basically you will not be able to track any individual electronically in any way without their consent or other lawful basis.

  44. Pingback: GDPR - Is consent always required? | Smarter Technologies Ltd

  45. Pingback: Sustainable funding round-up: September 2017 - BUSINESS SUPPORT 4 COMMUNITIES

  46. Pingback: DATA, GPDR, PR, AND AFRICAN CHARITIES IN DIASPORA | bodeinflight

  47. Pingback: GDPR - It's scary isn't it? | Smarter Technologies Ltd

  48. Pingback: Why GDPR Changes everything and What You Need to Know ?

  49. Pingback: The Data Protection Bill: A Summary | Blog Now

Leave a Reply