For organisations wondering about the differences between the Data Protection Act (DPA) 1998 and General Data Protection Regulation (GDPR), perhaps the first question business owners might ask is:

“When are you allowed to process the personal data of individuals that GDPR is coming in to protect?”

A lot of articles have focussed on a need for explicit consent to process any personal information under GDPR. Whilst it is true that the rules around consent are tightening, it hasn’t become an overriding requirement.

Businesses offering products or services will be glad to know that processing the data of customers for the performance of a contract is a lawful reason for collecting and processing data.

Processing data for the ‘legitimate interests’ of your business is also permitted. But the worry here is that you probably can’t just point to a document when asked to justify your actions, like with a contract. Rather, you have to balance your needs to process the data with the ‘interests, rights or freedoms of the data subject’. Sounds simple enough, but what does it actually mean?

What can businesses do now to prepare for GDPR?

Whilst we await the publication of guidance it’s still possible to get a head-start. SMEs are perhaps in the best position when it comes to data controllers understanding the specific needs of the business. Figure out exactly what interest your organisation has in the processing of data as this will go a long way towards being able to legitimise your processing. It might even give you an insight into how your use of the data could affect the subject.

Get a grasp of these basics now, thereby reducing your business’ time in establishing protocol once the guidance is out.

So, what about consent to process data under GDPR?

Even if you already have it under the DPA, you might find that it’s not going to fly under GDPR. The Information Commissioner’s Office emphasises that consent is done properly under GDPR means handing total control of the data being processed to the individual concerned.

In practise, this means that data processing should be presented as a real, informed choice.

This involves:

  • giving specific reasons for requesting consent, avoiding vague/blanket cover (it won’t be compliant, so won’t decrease risk!)
  • being clear and concise with no complex explanations
  • explaining how to easily withhold or withdraw consent
  • separating consent from your other Terms and Conditions
  • not making it a prerequisite of offering services
  • requiring an active opt-in (the days of pre-ticked boxes are gone!).

If your current consent relies on practices contrary to the above, then it’s time to review or audit of your current data protection procedures.

Getting ahead of the game means understanding the principles and reasoning for consent. This should allow your business to make an informed and steady transition into compliance, rather than a panic-stricken overnight switch!

For many businesses, GDPR will mean that some fresh drafting of Terms and Conditions will be essential, especially when it comes to unbundling and producing fresh requests for ‘explicit consent’. Devant can develop these for you and review your data protection policy so please contact us for an initial no-obligation chat with one of our consultants.

Fraser Gleave
Junior Commercial Contracts Consultant