Monthly Archives: June 2018

GDPR versus Direct Marketing: Re-consenting for Marketing Data?

Data Privacy, GDPR

As the new sheriff in town, the GDPR casts a dark shadow over businesses processing direct marketing data. The regulation has businesses wondering if they must obtain new consents for their entire marketing database. The answer is “it depends.”

This problem arises from Recital 171 of the GDPR which states: “Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of this Regulation.”

The premise is that if you acquired consent for processing data pre-GDPR, then you can continue to rely on that consent post-GDPR. All is okay up to this point. But the dark cloud above all this is that the pre-GDPR consent remains valid only if it was obtained to a GDPR standard. The GDPR requires that an indication of consent must be unambiguous and involve a clear affirmative action. With the added requirements for consent, it follows that all consents obtained pre-GDPR are likely no longer valid and businesses must obtain new GDPR-based consent.

The GDPR will fine businesses processing marketing data with no lawful basis up to EUR 20,000,000.00 or 4% of the total annual worldwide turnover. Rather than accept the risk of noncompliance, let us remove that dark cloud of noncompliance and help your team comply now.

GDPR versus Employers: Time to reconsider consent as a lawful basis to collect personal data?

Data Privacy, GDPR,

In light of the GDPR’s stringent requirements for consent, HR departments will need to review the legal basis for processing employee data under employment contracts based on consent. The GDPR heightened the requirements for using consent as a legal basis, making this method risky and burdensome. The GDPR requires that consent must be: (1) freely given, (2) specific, (3) informed, and (4) unambiguous. In the employment context, it is unlikely that an employee can respond “freely” to a request for consent from his/her employer.

Blanket consent policies in employment contracts are no longer adequate to process employee data. The employer must identify an alternative legal basis (e.g., a “legitimate interest”) for both new and existing employment contracts. Further, HR must draft new employment contracts and rely on an alternative legal basis to process employee data to avoid sanctions and fines.

The GDPR will impose severe fines on employers that process employee data with no lawful basis of up to EUR 20,0000,000.00 or 4% of the total annual worldwide turnover. To put this in perspective, the Supervisory Authorities, only hours after the GDPR came into effect, filed complaints against Facebook, Google, Instagram, and WhatsApp with fines reaching a staggering EUR 9.3 billion in total. Employers must become GDPR compliant before the Supervisory Authority makes landfall at your organization.

Let us help you with this hurdle to GDPR compliance.