Why do I keep getting all these emails about the GDPR?
One of the aims of the GDPR is to allow individuals to take back control of how their personal data is used. But the imminent arrival of the new law on 25 May 2018 has led to a deluge of emails as organisations strive for compliance. Have you found yourself asking whether all this is necessary?
Organisations are not necessarily required to refresh all existing 1998 Act consents in preparation for the GDPR. But, if consent is the relevant lawful basis for processing, it’s important for them to check their processes and records in detail to be sure existing consents meet the GDPR standard.
Recital 171 of the GDPR makes it clear that you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. However, you need to be confident that your 1998 Act consent requests, and the responses received, met the GDPR standard and that the consents are properly documented. You will also need to make sure that individuals know that they can unsubscribe and have a simple method of doing so.
On the other hand, if existing 1998 Act consents don’t meet the GDPR’s high standards or are poorly documented, you need to obtain fresh GDPR-compliant consent; or perhaps you will be able to identify a different lawful basis for your processing, which might be “legitimate interest”. Failing that, you will have to stop the processing.
You will recall that the GDPR requires consent to be affirmative (opt-in), freely given, specific, informed, unambiguous and unbundled. And recorded (to meet your obligations of accountability). And as easy to withdraw as it was to give.
If you decide to rely on a different lawful basis, you need to ensure that your continued processing is still fair and transparent. This means you need to take all reasonable steps to tell individuals that you are relying on a new lawful basis and explain what that basis is.Back to Our Thinking →