This page contains the transcript of a web chat we had with a member of the ICO team.
The team members have been really helpful and very gracious in allowing us to publish these transcripts. We are duty bound to point out that the information included will be the view of the agent and could of course be subject to the misunderstandings that can arise from a purely written conversation. The actual General Data Protection Regulation should always be regarded as the ultimate source of truth.
Inital Question: GDPR: Does the main reason for Does theinteracting with an individual require consent, e.g. if I'm selling products to the public, do I need consent from an individual to include them in the invoicing process and to retain their data in my financial records?
You are now chatting with ico_aidenc
ico_aidenc: Consent is not the only basis for processing data. You can see more guidance here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/
and the Commissioner has written a blog about it here: https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/
Tom: Hi aiden, the first of those links is the one that triggered the question!
Tom: This whole concept of 'legitimate interest' is confusing
ico_aidenc: OK. Legitimate Interest requires a balance between the needs of the organisation and the rights of the individual. The processing shouldn't have an undue or unwarranted negative affect on the individual.
Tom: So, sending someone an invoice in response to their order seems legitimate, as does keeping them in the accounts software (and there's probably a statutory accounting requirement for that too that trumps GDPR?). But, using their purchase history to profile them might be a grey area?
Tom: Ah, OK, I've just realised I misunderstood something here, Consent 6(1)(a) is one option, but 6(1)(b)-(f) are alternatives and DON'T require consent?
ico_aidenc: exactly. So you'll only need to satisfy one of those options.
Tom: So in my example, the invoicing might fit under
6(1)(b) and the keeping of accounting records under 6(1)(c). Furthermore, if my business was "sales with recommendations", profiling of sales patterns might even come under 6(1)(b) too?
Tom: (where the profiling was specifically to generate recommendations)
ico_aidenc: In general terms you are correct, but you might struggle to fit profiling under 6 (1) (b) as it's not necessary for the contract you have with a specific individual.
ico_aidenc: You'd need to be looking at whether you could satisfy legitimate interests for that, or would need consent
Tom: that makes sense, it was a bad example, I was really just trying to confirm my understanding that what constitutes "necessary for the performance of a contract" will vary depending on the nature of the business
ico_aidenc: yes, and the terms of the contract etc.
ico_aidenc: So the conditions have to be broad because of the variety of different types of processing they might cover
ico_aidenc: We'll be providing more guidance as and when we can
Tom: The key takeaway at the moment though is that you don't need 'consent for everything', which seems to be a widely held misconception
Tom: Many thanks, as ever this has been invaluable. I'm now putting together a blog/website on this whole area for our customers to try and give them further guidance, is it OK to include a full transcript of this chat for their information?
ico_aidenc: You can do, yes. I do have to caveat my guidance by saying that it's specific to the questions you've asked me, and it might be easier to direct to the Commissioner's blog: https://iconewsblog.org.uk/2017/08/16/consent-is-not-the-silver-bullet-for-gdpr-compliance/ . We're happy to offer advice to anyone who wants to contact us via livechat, the helpline - 0303 123 1113 - or firstname.lastname@example.org. Our GDPR microsite is updated as frequently as we can: https://ico.org.uk/for-organisations/data-protection-reform/
Tom: Yes absolutely, and I will include that caveat too. The aim of what I'm doing is to provide guidance and examples specific to our SME market that extend the ICO's content. I'm absolutely not trying to cover the same ground you guys have, your content is great (apart from the assumption of knowledge of the DPA that I griped about in our last chat!)
ico_aidenc: Thanks - and thanks for using our livechat service. Glad to have helped!
Tom: Very useful as always, speak soon no doubt..!