As part of the TrustArc Privacy Insight Series Webinars, Ray Everett, Principal Consultant and Director of EMEA/Global Consulting at TrustArc, presented “Managing Consent and Legitimate Interests Under the GDPR.”  This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.  In this webinar, Ray discussed determining lawful basis for processing, looking at legitimate interest, approaches to consent, and demonstrating and maintaining compliance.

Ray examined the three most common applicable bases for processing, which are: consent, performance of a contract, and legitimate interests pursued by the controller or by a third party.  He also explored how to determine which basis makes the most sense for your particular data processing activities.

Companies have had to change the way they approach consent to make sure they are clear and concise about their reasons for processing.  Ray suggested a good test to determine whether consent is your legal basis: if your company cannot operate without consent, then it is not the right basis for that activity.

As laid out in the GDPR, the performance of a contract is a criterion the data controller can utilize in order to process data. While performance of a contract seems simple, Ray noted there can be danger in overbroad interpretation of what is within the scope of a contract. Companies need to be mindful to not stretch their contract basis outside of its limitations. Ray also laid out the key questions to ask in order to determine if the performance of a contract is a legitimate basis for data processing.  

He stressed legitimate interest is closely related to what that data subject can expect out of that relationship with the controller, which should be extremely clear.  He pointed out that if you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests. Ray explained how to conduct a Legitimate Interest Assessment (LIA) by performing a “purpose” test, a “necessity” test, and a “balancing” test.  He pointed out reasonable exception for legitimate interest can be shaped by transparency and clarity.

During the webinar he also showed several companies’ post-deadline privacy policies as useful examples of best ways to outline a company’s lawful basis of processing. He touched on ICO recommendations on how to demonstrate consent, such as: keeping records, making it easy for people to withdraw consent and keeping consents under review and refreshing them if anything changes.  

This webinar had even more best practices, tips, and examples, which you can see on demand  here.

TrustArc offers technology solutions for managing consent and individual rights.  To learn more, schedule a consultation today!