When the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, EU marketers will need to better manage individuals’ privacy rights as well as the lawful grounds for processing their personal data. You can’t just have data because it might come in useful anymore.
There are 6 lawful grounds for data processing under GDPR:
Consent an individual has consent to the processing of their personal data.
Contractual – processing personal data is necessary for the performance of a contract to which the individual is a party
Legal Obligation – processing of personal data is necessary to compliance with a legal obligation.
Vital Interests – processing of personal data is necessary to protect the interest of the individual(s).
Public Tasks – personal data processing is required to carry out tasks in the public interest.
Legitimate Interests – processing personal data is necessary under the legitimate interests of a Data Controller or Third Party. These interests may be overridden by the individual’s interests or fundamental rights.
Every data item that contains personal data, from name and address to IP address to really sensitive data such as health data must be assigned a legal reason to be held.
There is no hierarchy or order for processing personal data: all are equally valid. The most appropriate lawful basis will depend on the personal data being processed and the purposes for such.
In adhering to GDPR marketers main focus will be in legitimate interests and consent as justifications for their use and administration of individuals personal data.
The GDPR states that legitimate interests may be a reason to hold data for direct marketing but there needs to a proper, independent assessment of this. Whilst we wait for final guidance from the ICO, you’ll find useful information on this topic at the Data Protection Network.