Meet the new term in the new general data protection
regulation (GDPR) – “lawful basis for processing data”. In the heart of this
new term are new rules for obtaining and managing user consent. So, let’s dig
into what this will it mean for your business or an organization!
You’ve got mail!
Yes, another junk email just appeared in your inbox. Before
you click delete, first check who sent it to you and why. Maybe you ordered a
new swimsuit a few months back, but were you also asked, if it was ok to be
contacted by the seller once a week, forever and ever?
The new law turns this question around to protect you. Does
the seller have a lawful basis to store and process your personal data? And what
is the basis that they used to send you an email in the first place?
What exactly does “lawful basis for processing data” mean?
According to GDPR laws, the company must be able to prove
and describe what lawful basis they use to store and use your personal
information. The company can use several types of legal grounds for processing,
for example:
- Your personal data is required to meet an agreement with, for example to store your shipping address so they can ship your order;
- Company might have a legal obligation to keep the data, for example, banks are required to verify your identity to prevent the money laundering;
- The data is needed to protect your interests, for example, two factor authentication might require a mobile phone number on file;
- Personal data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested, for example, your personal data is needed to verify you at the pooling station next time you cast your vote.
In general, in order for the company to establish the lawful
basis for legitimate interest, the company must be able to provide a detailed assessment
of that legitimate interest and prove that they have properly considered all the
rights of the individual. For example, the need to store sensitive information,
such as ethnicity, sexual orientation, etc. can never be a legitimate interest.
Obtaining and managing user consent
As you can see, the bar to establish a legitimate interest
is very high and needs to be interpreted on a case by case basis. The
consequences for not complying with GDPR are very severe. Penalties under for organizations
in breach of GDPR can be fined up to 4% of annual global turnover or €20
Million (whichever is greater).
That's why the safest lawful basis for collecting and using
personal data is to collect explicit consent from the individual. It can be as
easy as a specific opt-in box for a newsletter when you purchase something
online.
Let’s go back to that email you received before. Starting
from May 25, 2018, the seller will have to prove that you agreed to receive
promotional email and that your email can be stored for that purpose. In
addition, the seller must also be able to prove which lawful basis they have
for sending you that email. And yes, the seller must make it super easy for you
to Opt-out and cancel your agreement and erase your email and other
information.
Meet Omnibasis
To comply with those regulations, your company can build a
consent management system or turn to the Omnibasis cloud-based platform. Get
compliant today by using our cloud based consent management platform from
Omnibasis and enable your customers to manage their given consents and
permissions as well as documenting your customer interactions. Start today for free at omnibasis.com
About Omnibasis
Omnibasis is a business management solution to run your sales,
marketing, commerce, and operations powered by Blockchain technology.
Visit omnibasis.com to
meet the operating system for your business.
Comments
Post a Comment