GDPR Consent Management and Legitimate Interests Insight Webinar TrustArc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
Managing Consent and Legitimate

Interests Under the GDPR
June 27th, 2018
© 2018 TrustArc Inc Proprietary and Confidential Information

Thank you for joining today’s webinar:
“Managing Consent and Legitimate Interests
Under the GDPR."
• We will be starting a couple minutes after the hour.
• This webinar will be recorded and the recording

and slides sent out later today.
• Please use the GotoWebinar control panel on the

right hand side to submit any questions for the
speakers.
2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Today’s Speaker
Ray Everett
Principal Consultant &
Director of EMEA/Global Consulting
TrustArc
3 3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Today’s Agenda
• Welcome & Introduction
• Finding your Lawful Basis
• Looking at Legitimate Interest
• Approaches to Consent
• Demonstrating & Maintaining Compliance
• Summary & Questions
4 4 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Thanks for your interest in the webinar slides!
To watch the on-demand recording please CLICK HERE.

Finding your Lawful Basis for

Processing
6 © 2018 TrustArc Inc Proprietary and Confidential Information

Article 6(1) sets out the applicable bases
• Consent
• Performance of a Contract
• Legal Obligation
• Vital Interests of the Data Subject
• Public Interest
• "[L]egitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject…"

Article 6(1) sets out the applicable bases
• Consent
• Performance of a Contract
• Legal Obligation
• Vital Interests of the Data Subject
• Public Interest
• "[L]egitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject…"

Consent was "King"
• Consent was the gold standard

– If you had a credible claim for consent, you could do
just about anything.
– EULA model and the "Kitchen sink" approach to
Privacy Notices
• Led to excesses and devaluing/distrust of
consent

Consent was "King"
• Consent was the gold standard

– If you had a credible claim for consent, you could do
just about anything.
– EULA model and the "Kitchen sink" approach to
Privacy Notices
• Led to excesses and devaluing/distrust of
consent

So… How to decide?
• Performance of a contract seems simple…

– Are you processing data needed to enter into a
contract? (Order quotes, negotiations, terms related to
personal data, etc.?)
– Is that processing truly necessary? Essential to the
transaction?
– Can you document that basis in a clear and compelling
way?
• Danger in overbroad interpretation of what's
within the scope of "necessary"
– E.g., is email consent really necessary? ("soft opt-in"
vs. overreading what you think is a "hard opt-in")

Example: Hogan Lovells

Example: Hogan Lovells

So… How to decide?
ICO comments on Consent (vs. another basis):
"If you would still process the personal data on a

different lawful basis even if consent were refused
or withdrawn, then seeking consent from the
individual is misleading and inherently unfair."
"If you require someone to agree to processing as a

condition of service, consent is unlikely to be the
most appropriate lawful basis for the processing."
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/when-is-consent-appropriate/

Example: Razer

Let's talk about Legitimate

Interest

Back to Basics
Recital 47: "The legitimate interests of a controller,

including those of a controller to which the personal
data may be disclosed, or of a third party, may
provide a legal basis for processing, provided that
the interests or the fundamental rights and
freedoms of the data subject are not overriding,
taking into consideration the reasonable
expectations of data subjects based on their
relationship with the controller."
(emphasis added)

Recital 47
"[T]he existence of a legitimate interest would need

careful assessment including whether a data
subject can reasonably expect at the time and in
the context of the collection of the personal data
that processing for that purpose may take place."
"The processing of personal data for direct

marketing purposes may be regarded as carried out
for a legitimate interest." (emphasis added)

Example: Dun & Bradstreet

Guidance from the UK ICO
"A company that provides credit cards asks its customers to

give consent for their personal data to be sent to credit
reference agencies for credit scoring.
"However, if a customer refuses or withdraws their consent,
the credit card company will still send the data to the credit
reference agencies on the basis of ‘legitimate interests’. So
asking for consent is misleading and inappropriate – there is
no real choice. The company should have relied on
‘legitimate interests’ from the start. To ensure fairness and
transparency, the company should still tell customers this will
happen, but this is very different from giving them a choice."
(March 2017)

Guidance from Article 28 Working Party
"In this context, the Working Party also supports

the principled approach chosen in the Proposed
Regulation of broad prohibitions and narrow
exceptions, and believes that the introduction of
open-ended exceptions along the lines of Article 6
GDPR, and in particular Art. 6(f) GDPR (legitimate
interest ground), should be avoided." (emphasis in
original)
(April 4, 2017)

More Guidance from the UK ICO
Legitimate Interest may most appropriate when:

• the processing is not required by law but is of a
clear benefit to you or others;
• there’s a limited privacy impact on the individual;
• the individual should reasonably expect you to
use their data in that way; and
• you cannot, or do not want to, give the individual
full upfront control (i.e., consent) or bother them
with disruptive consent requests when they are
unlikely to object to the processing.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-
legitimate-interests/

For Example… Employee and Client Data
Legitimate interest could exist where there is a

‘relevant and appropriate relationship’
• "your interests and those of the individual are
actually aligned or intertwined"
• However this does not mean there’s automatically
a mutual legitimate interest.
• If the processing is actually necessary for you to
perform your side of a contract with the employee
or client, then you should consider Article 6(1)(b)
instead.

Example: Carlyle Group

More Guidance from the UK ICO
"[A]s long as the marketing is carried out in

compliance with e-privacy laws and other legal and
industry standards, in most cases it is likely that
direct marketing is a legitimate interest."
"If you intend to process personal data for the
purposes of direct marketing by electronic means
(by email, text, automated calls, etc.) legitimate
interests may not always be an appropriate basis
for processing."
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-
legitimate-interests/

Example: BuzzFeed

Assessing Legitimate Interest
• Using data in ways

– they would reasonably expect
– have a minimal privacy impact, or
– where there is a compelling justification
• If you choose to rely on legitimate interests, you
are taking on extra responsibility for considering
and protecting people’s rights and interests.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/

Assessing Legitimate Interest
• "Legitimate Interest Assessment" (LIA)

– Identify the legitimate interest ("purpose" test)
– Determining necessity ("necessity" test)
– Balancing data subject rights ("balancing" test)
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-
interests-in-practice/

Purpose Test
• Why do you want to process the data?

• What benefit do you expect to get from the processing?
• Do any third parties benefit from the processing?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• What is the intended outcome for individuals?
• Are you complying with other relevant laws?
• Are you complying with industry guidelines or codes of
practice?
• Are there any ethical issues with the processing?

Necessity Test
• Will the processing actually help you achieve your

purpose?
• Is the processing proportionate to that purpose, or could it
be seen as using a sledgehammer to crack a nut?
• Can you achieve your purpose without processing the
data, or by processing less data?
• Can you achieve your purpose by processing the data in
another more obvious or less intrusive way?
– If on the face of it there are potentially other less
intrusive alternatives you need to be clear in your LIA
why these are not reasonable alternatives.

Balancing Test
• "[W]e recommend you focus primarily on your

own interests and avoid undue focus on
presumed benefits to customers unless you have
very clear evidence of their preferences."
• "There is no exhaustive list of what you should
take into account when conducting the balancing
test." But consider:
– the nature of the personal data you want to process;
– the reasonable expectations of the individual; and
– the likely impact of the processing on the individual
and whether any safeguards can be put in place to
mitigate negative impacts.
Example: Weetabix

Example: Garmin

How to you analyze and decide?
• Lawful Basis
Assessment
– Shaped by many inputs
(ICO's LIA, DPN, etc.)
– Identifies applicability
of each potential basis
– Document how your
reached your decision
– Can be process-centered or data element/category
centered (aligned with your records in Data Flow
Manager)
(TrustArc platform customers can have this added to their account)

Approaches to Consent

The Consent Tsunami of 2018
The big question: was it all necessary?

It depends…
• Poor list hygiene?

• Stale lists?
• Uncertain/questionable source provenance?
• "Aggressive" interpretation of past opt-in scope?
• Solid Privacy and Electronic Communications
Regulation (PECR) compliance program pre-
GDPR?
• Wanna make some money?

Example: Unnamed Software Company
• Heavily acquisitive company, many diverse

mailing lists with mixed levels of confidence
• Wide range of product offerings, some with
"reasonable" cross-over appeal, some not
• Past issues with data breach > preference for
data minimization
• Strong case for "soft opt-in" on most lists (from
prior transactions)

• Send the standard "GDPR" email, with a twist...

– "GDPR, blah, blah, we're updating privacy notices, etc.
– Since you've been a previous customer, we'd like to
offer you <tailored offer, e.g., you bought product X &
Y, we'll give you Z at 40% off, etc.>.
– If you want this offer, click through.
– If you don't want this offer, we'll be removing you from
our list
– If you want to see future offers like this, please opt in.
– Otherwise, see ya!

• Send the standard "GDPR" email, with a twist...

– "GDPR, blah, blah, we're updating privacy notices, etc.
– Since you've been a previous customer, we'd like to
offer you <tailored offer, e.g., you bought product X &
Y, we'll give you Z at 40% off, etc.>.
– If you want this offer, click through.
– If you don't want this offer, we'll be removing you from
our list
– If you want to see future offers like this, please opt in.
– Otherwise, see ya!
>$14 million in sales
Substantial purge; remainder with unambiguous consent

ICO on Seeking Consent
• Request consent clearly, prominently

• Clear notice with details about
– Your organization and any 3rd parties
– Processing purpose
– Right to withdraw consent
• Active opt-in, no pre-checked boxes
– Consider granular choices and options
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

Example: Manchester United

Example: Manchester United

Example: ASOS

Example: ASOS

Example: Green Man Gaming

Demonstrating and Maintaining

Compliance

Article 29 WP on Demonstrating Consent
• Recital 42: “Where processing is based on the

data subject's consent, the controller should be
able to demonstrate that the data subject has
given consent to the processing operation.”
• Controllers can devise their own methods, but
they should:
– Have enough data to show link between consent and
the processing (how, when, what was disclosed
adequately described flows and uses)
– Demonstrate they aren't collecting more data than
necessary

Article 29 WP on Demonstrating Consent
• "For example, in an online context, a controller

could retain information on the session in which
consent was expressed, together with
documentation of the consent workflow at the
time of the session, and a copy of the information
that was presented to the data subject at that
time."

ICO on Recording Consent
• Keep records to evidence consent – who

consented, when, how, and what they were told.
• Make it easy for people to withdraw consent at
any time they choose. Consider using preference-
management tools.
• Keep consents under review and refresh them if
anything changes. Build regular consent reviews
into your business processes.

Managing Consent & Individual Rights
• Build/implement a preference management

system tied to your global data repositories
• Build/implement a request handling system for IR
Augment with:
• TrustArc Direct Marketing Consent Manager
• TrustArc Individual Rights Manager
• TrustArc Cookie Consent Manager
• TrustArc Dispute Resolution Manager
• TrustArc Ads Compliance Manager

Conclusions

Summing up…
• Decide which parts of your processing hinge on

consent; if you can't operate without consent,
then that's not the right basis for that activity
• Legitimate Interest "reasonable expectation" can
be shaped by transparency and clarity
• Don't try to stretch Legitimate Interest too far
• If you're relying on Consent, get creative to
convey your value proposition
• Document your basis, including in your notice

Thanks for your interest in the webinar slides!
To watch the on-demand recording please CLICK HERE.

Questions?
Register now for our next webinar: "Getting to Know the New
European Data Protection Board (EDPB)" on Wed. July 25th.
See http://www.trustarc.com/insightseries for the 2018

Privacy Insight Series and past webinar recordings.

Contact
Ray Everett email: reverett@trustarc.com

Thank You!

GDPR Consent Management and Legitimate Interests Insight Webinar TrustArc

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Consent Management and Legitimate Interests Insight Webinar TrustArc

Uploaded by

Copyright:

Available Formats

PRIVACY INSIGHT SERIES

Summer / Fall 2018 Webinar Program

Managing Consent and Legitimate

June 27th, 2018

© 2018 TrustArc Inc Proprietary and Confidential Information

• This webinar will be recorded and the recording

• Please use the GotoWebinar control panel on the

2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

3 3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Welcome & Introduction

• Finding your Lawful Basis

• Looking at Legitimate Interest

• Demonstrating & Maintaining Compliance

• Summary & Questions

4 4 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information

Finding your Lawful Basis for

6 © 2018 TrustArc Inc Proprietary and Confidential Information

7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

8 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Consent was the gold standard

9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Consent was the gold standard

10 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Performance of a contract seems simple…

11 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

12 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

13 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

ICO comments on Consent (vs. another basis):

"If you would still process the personal data on a

"If you require someone to agree to processing as a

14 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

15 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Let's talk about Legitimate

© 2018 TrustArc Inc Proprietary and Confidential Information

Recital 47: "The legitimate interests of a controller,

17 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

"[T]he existence of a legitimate interest would need

"The processing of personal data for direct

18 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

"A company that provides credit cards asks its customers to

20 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

"In this context, the Working Party also supports

21 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Legitimate Interest may most appropriate when:

22 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Legitimate interest could exist where there is a

23 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

24 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

"[A]s long as the marketing is carried out in

25 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

26 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Using data in ways

27 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• "Legitimate Interest Assessment" (LIA)

28 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Why do you want to process the data?

29 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• Will the processing actually help you achieve your

30 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

• "[W]e recommend you focus primarily on your