Lawful bases for processing data without consent under GDPR
Now that GDPR has come into effect, companies should have stopped emailing you begging you to re-sign up to their marketing lists and should only process your data (whether electronic or on paper) according to the new regulations. A point which has often been missed in the run up to GDPR implementation is that there are many lawful bases for processing data without the individual’s consent.
Being able to process data without consent is particularly important for ecommerce merchants as you’ll be taking payments, shipping parcels, completing your accounts and submitting tax returns and for all these activities you’ll need to process customer data.
Under GDPR, there are six lawful bases for processing data, one of which is consent and for the other five bases you don’t need the consumer’s permission.
The lawful bases for processing data under GDPR
Under all the six lawful bases for processing data, under GDPR there is an over riding question to ask which is whether the consumer’s privacy overrides the requirement to process data. For instance, you will need to pick and pack orders but, especially if you are a seller of potentially embarrassing products, do you need the customer names on your pick lists or just the order number?
The amount of data made available both within and without your organisation should be limited to the minimum required to process the task in hand. An example is with packaging labels – you shouldn’t need to specify the contents (except on customs documentation) as the customer has a right to expect privacy and have parcels delivered without the courier knowing the package contents. Don’t forget, parcels may at times be left with neighbours.
If a consumer gives you consent to use their data then this will normally be for a specific purpose. For instance they may give consent by actively subscribing to your mailing list by ticking a box or filling out a sign up form. However you should be aware that they have only given consent to use their data for that one purpose and you can’t for instance automatically add them to your other mailing lists.
Of top interest to ecommerce merchants is that you can process data to complete a contract without any specific permissions from the consumer. This includes producing invoices, picking and packing lists, labels, courier notifications and sending emails related to the sale.
You should still be aware that you have a duty of care to protect customer data and this includes in paper form – consider what you do with packing lists once the order is fulfilled – do you for instance shred them?
In some circumstances you will be legally obliged to process data to comply with the law. An example could be for speeding offences disclosing who was driving a company vehicle at the time of the incident.
You’ll also be obliged to complete accounts, tax returns, payroll and pensions all of which require a certain amount of consumer data to be processed.
Vital interests generally mean you need to process data to save someone’s life. There are few reasons in ecommerce when this would apply, but for instance if a marketplace or retailer sees a purchase for equipment that could collectively be used for terrorist purposes then vital interests would outweigh the rights of privacy and data should be shared with the authorities.
This basis for processing data is unlikely ever to apply to ecommerce merchants – it covers performing tasks in the public interest or in your official capacity where the task has a clear basis in law.
Legitimate interests is both the most relaxed reason for processing data and at the same time the one you need to be most diligent about. You don’t need permission to process data, for instance to determine what your top selling products are. You can process any data you like unless there’s a good reason to protect an individual’s personal data which overrides your legitimate interest. Anonymising data can assist with balancing privacy with business needs.
There are three tests which will determine if you have lawful bases for processing data under legitimate interest or if finding a different method to complete the task is indicated:
- Purpose test: are you pursuing a legitimate interest?
Your interests may be commercial or they may be trivial, although trivial interests may be harder to justify under the balancing test. A commercial example could be assessing the fraud risk for a transaction and a trivial reason could be releasing a Top 10 Best Seller list.
- Necessity test: is the processing necessary for that purpose?
You should question if processing the data is required or if there is a reasonable less intrusive way to achieve the same result.
- Balancing test: do the individual’s interests override the legitimate interest?
You should question whether individuals would reasonably expect their data to be used for your objectives as if not then their privacy overrides your interests. If there is a conflict it doesn’t prevent you from processing the data if there is a clear justification for the impact on the individual.
Only if all three tests are met should you process the data in question under legitimate interests. It is also worth noting that you can share data with a third party under legitimate interests – for instance with your multichannel management provider, with couriers, and with your accountant. They should in turn determine their own lawful basis for handling and processing the data.
- Purpose test: are you pursuing a legitimate interest?