You are on page 1of 57

PRIVACY INSIGHT SERIES

Summer / Fall 2018 Webinar Program

Managing Consent and Legitimate


Interests Under the GDPR

June 27th, 2018

© 2018 TrustArc Inc Proprietary and Confidential Information


Thank you for joining today’s webinar:
“Managing Consent and Legitimate Interests
Under the GDPR."
• We will be starting a couple minutes after the hour.

• This webinar will be recorded and the recording


and slides sent out later today.

• Please use the GotoWebinar control panel on the


right hand side to submit any questions for the
speakers.

2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Today’s Speaker

Ray Everett
Principal Consultant &
Director of EMEA/Global Consulting
TrustArc

3 3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Today’s Agenda

• Welcome & Introduction

• Finding your Lawful Basis

• Looking at Legitimate Interest

• Approaches to Consent

• Demonstrating & Maintaining Compliance

• Summary & Questions

4 4 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Finding your Lawful Basis for


Processing

6 © 2018 TrustArc Inc Proprietary and Confidential Information


Article 6(1) sets out the applicable bases

• Consent
• Performance of a Contract
• Legal Obligation
• Vital Interests of the Data Subject
• Public Interest
• "[L]egitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject…"

7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Article 6(1) sets out the applicable bases

• Consent
• Performance of a Contract
• Legal Obligation
• Vital Interests of the Data Subject
• Public Interest
• "[L]egitimate interests pursued by the controller or
by a third party, except where such interests are
overridden by the interests or fundamental rights
and freedoms of the data subject…"

8 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Consent was "King"

• Consent was the gold standard


– If you had a credible claim for consent, you could do
just about anything.
– EULA model and the "Kitchen sink" approach to
Privacy Notices
• Led to excesses and devaluing/distrust of
consent

9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Consent was "King"

• Consent was the gold standard


– If you had a credible claim for consent, you could do
just about anything.
– EULA model and the "Kitchen sink" approach to
Privacy Notices
• Led to excesses and devaluing/distrust of
consent

10 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


So… How to decide?

• Performance of a contract seems simple…


– Are you processing data needed to enter into a
contract? (Order quotes, negotiations, terms related to
personal data, etc.?)
– Is that processing truly necessary? Essential to the
transaction?
– Can you document that basis in a clear and compelling
way?
• Danger in overbroad interpretation of what's
within the scope of "necessary"
– E.g., is email consent really necessary? ("soft opt-in"
vs. overreading what you think is a "hard opt-in")

11 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Hogan Lovells

12 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Hogan Lovells

13 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


So… How to decide?

ICO comments on Consent (vs. another basis):

"If you would still process the personal data on a


different lawful basis even if consent were refused
or withdrawn, then seeking consent from the
individual is misleading and inherently unfair."

"If you require someone to agree to processing as a


condition of service, consent is unlikely to be the
most appropriate lawful basis for the processing."
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/when-is-consent-appropriate/

14 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Razer

15 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Let's talk about Legitimate


Interest

© 2018 TrustArc Inc Proprietary and Confidential Information


Back to Basics

Recital 47: "The legitimate interests of a controller,


including those of a controller to which the personal
data may be disclosed, or of a third party, may
provide a legal basis for processing, provided that
the interests or the fundamental rights and
freedoms of the data subject are not overriding,
taking into consideration the reasonable
expectations of data subjects based on their
relationship with the controller."

(emphasis added)

17 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Recital 47

"[T]he existence of a legitimate interest would need


careful assessment including whether a data
subject can reasonably expect at the time and in
the context of the collection of the personal data
that processing for that purpose may take place."

"The processing of personal data for direct


marketing purposes may be regarded as carried out
for a legitimate interest." (emphasis added)

18 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Dun & Bradstreet

19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Guidance from the UK ICO

"A company that provides credit cards asks its customers to


give consent for their personal data to be sent to credit
reference agencies for credit scoring.
"However, if a customer refuses or withdraws their consent,
the credit card company will still send the data to the credit
reference agencies on the basis of ‘legitimate interests’. So
asking for consent is misleading and inappropriate – there is
no real choice. The company should have relied on
‘legitimate interests’ from the start. To ensure fairness and
transparency, the company should still tell customers this will
happen, but this is very different from giving them a choice."
(March 2017)

20 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Guidance from Article 28 Working Party

"In this context, the Working Party also supports


the principled approach chosen in the Proposed
Regulation of broad prohibitions and narrow
exceptions, and believes that the introduction of
open-ended exceptions along the lines of Article 6
GDPR, and in particular Art. 6(f) GDPR (legitimate
interest ground), should be avoided." (emphasis in
original)
(April 4, 2017)

21 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


More Guidance from the UK ICO

Legitimate Interest may most appropriate when:


• the processing is not required by law but is of a
clear benefit to you or others;
• there’s a limited privacy impact on the individual;
• the individual should reasonably expect you to
use their data in that way; and
• you cannot, or do not want to, give the individual
full upfront control (i.e., consent) or bother them
with disruptive consent requests when they are
unlikely to object to the processing.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-
legitimate-interests/

22 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


For Example… Employee and Client Data

Legitimate interest could exist where there is a


‘relevant and appropriate relationship’
• "your interests and those of the individual are
actually aligned or intertwined"
• However this does not mean there’s automatically
a mutual legitimate interest.
• If the processing is actually necessary for you to
perform your side of a contract with the employee
or client, then you should consider Article 6(1)(b)
instead.

23 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Carlyle Group

24 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


More Guidance from the UK ICO

"[A]s long as the marketing is carried out in


compliance with e-privacy laws and other legal and
industry standards, in most cases it is likely that
direct marketing is a legitimate interest."
"If you intend to process personal data for the
purposes of direct marketing by electronic means
(by email, text, automated calls, etc.) legitimate
interests may not always be an appropriate basis
for processing."
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-
legitimate-interests/

25 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: BuzzFeed

26 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Assessing Legitimate Interest

• Using data in ways


– they would reasonably expect
– have a minimal privacy impact, or
– where there is a compelling justification
• If you choose to rely on legitimate interests, you
are taking on extra responsibility for considering
and protecting people’s rights and interests.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/

27 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Assessing Legitimate Interest

• "Legitimate Interest Assessment" (LIA)


– Identify the legitimate interest ("purpose" test)
– Determining necessity ("necessity" test)
– Balancing data subject rights ("balancing" test)

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-
interests-in-practice/

28 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Purpose Test

• Why do you want to process the data?


• What benefit do you expect to get from the processing?
• Do any third parties benefit from the processing?
• Are there any wider public benefits to the processing?
• How important are those benefits?
• What would the impact be if you couldn’t go ahead?
• What is the intended outcome for individuals?
• Are you complying with other relevant laws?
• Are you complying with industry guidelines or codes of
practice?
• Are there any ethical issues with the processing?

29 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Necessity Test

• Will the processing actually help you achieve your


purpose?
• Is the processing proportionate to that purpose, or could it
be seen as using a sledgehammer to crack a nut?
• Can you achieve your purpose without processing the
data, or by processing less data?
• Can you achieve your purpose by processing the data in
another more obvious or less intrusive way?
– If on the face of it there are potentially other less
intrusive alternatives you need to be clear in your LIA
why these are not reasonable alternatives.

30 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Balancing Test

• "[W]e recommend you focus primarily on your


own interests and avoid undue focus on
presumed benefits to customers unless you have
very clear evidence of their preferences."
• "There is no exhaustive list of what you should
take into account when conducting the balancing
test." But consider:
– the nature of the personal data you want to process;
– the reasonable expectations of the individual; and
– the likely impact of the processing on the individual
and whether any safeguards can be put in place to
mitigate negative impacts.
31 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc
Example: Weetabix

32 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Garmin

33 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


How to you analyze and decide?

• Lawful Basis
Assessment
– Shaped by many inputs
(ICO's LIA, DPN, etc.)
– Identifies applicability
of each potential basis
– Document how your
reached your decision
– Can be process-centered or data element/category
centered (aligned with your records in Data Flow
Manager)
(TrustArc platform customers can have this added to their account)

34 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Approaches to Consent

© 2018 TrustArc Inc Proprietary and Confidential Information


The Consent Tsunami of 2018

The big question: was it all necessary?

36 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


It depends…

• Poor list hygiene?


• Stale lists?
• Uncertain/questionable source provenance?
• "Aggressive" interpretation of past opt-in scope?
• Solid Privacy and Electronic Communications
Regulation (PECR) compliance program pre-
GDPR?
• Wanna make some money?

37 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Unnamed Software Company

• Heavily acquisitive company, many diverse


mailing lists with mixed levels of confidence
• Wide range of product offerings, some with
"reasonable" cross-over appeal, some not
• Past issues with data breach > preference for
data minimization
• Strong case for "soft opt-in" on most lists (from
prior transactions)

38 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Unnamed Software Company

• Send the standard "GDPR" email, with a twist...


– "GDPR, blah, blah, we're updating privacy notices, etc.
– Since you've been a previous customer, we'd like to
offer you <tailored offer, e.g., you bought product X &
Y, we'll give you Z at 40% off, etc.>.
– If you want this offer, click through.
– If you don't want this offer, we'll be removing you from
our list
– If you want to see future offers like this, please opt in.
– Otherwise, see ya!

39 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Unnamed Software Company

• Send the standard "GDPR" email, with a twist...


– "GDPR, blah, blah, we're updating privacy notices, etc.
– Since you've been a previous customer, we'd like to
offer you <tailored offer, e.g., you bought product X &
Y, we'll give you Z at 40% off, etc.>.
– If you want this offer, click through.
– If you don't want this offer, we'll be removing you from
our list
– If you want to see future offers like this, please opt in.
– Otherwise, see ya!
>$14 million in sales
Substantial purge; remainder with unambiguous consent

40 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


ICO on Seeking Consent

• Request consent clearly, prominently


• Clear notice with details about
– Your organization and any 3rd parties
– Processing purpose
– Right to withdraw consent
• Active opt-in, no pre-checked boxes
– Consider granular choices and options

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

41 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Manchester United

42 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Manchester United

43 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: ASOS

44 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: ASOS

45 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Example: Green Man Gaming

46 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Demonstrating and Maintaining


Compliance

© 2018 TrustArc Inc Proprietary and Confidential Information


Article 29 WP on Demonstrating Consent

• Recital 42: “Where processing is based on the


data subject's consent, the controller should be
able to demonstrate that the data subject has
given consent to the processing operation.”
• Controllers can devise their own methods, but
they should:
– Have enough data to show link between consent and
the processing (how, when, what was disclosed
adequately described flows and uses)
– Demonstrate they aren't collecting more data than
necessary

48 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Article 29 WP on Demonstrating Consent

• "For example, in an online context, a controller


could retain information on the session in which
consent was expressed, together with
documentation of the consent workflow at the
time of the session, and a copy of the information
that was presented to the data subject at that
time."

49 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


ICO on Recording Consent

• Keep records to evidence consent – who


consented, when, how, and what they were told.
• Make it easy for people to withdraw consent at
any time they choose. Consider using preference-
management tools.
• Keep consents under review and refresh them if
anything changes. Build regular consent reviews
into your business processes.

50 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


Managing Consent & Individual Rights

• Build/implement a preference management


system tied to your global data repositories
• Build/implement a request handling system for IR

Augment with:
• TrustArc Direct Marketing Consent Manager
• TrustArc Individual Rights Manager
• TrustArc Cookie Consent Manager
• TrustArc Dispute Resolution Manager
• TrustArc Ads Compliance Manager

51 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Conclusions

© 2018 TrustArc Inc Proprietary and Confidential Information


Summing up…

• Decide which parts of your processing hinge on


consent; if you can't operate without consent,
then that's not the right basis for that activity
• Legitimate Interest "reasonable expectation" can
be shaped by transparency and clarity
• Don't try to stretch Legitimate Interest too far
• If you're relying on Consent, get creative to
convey your value proposition
• Document your basis, including in your notice

53 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Questions?
Register now for our next webinar: "Getting to Know the New
European Data Protection Board (EDPB)" on Wed. July 25th.

See http://www.trustarc.com/insightseries for the 2018


Privacy Insight Series and past webinar recordings.

55 © 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Contact
Ray Everett email: reverett@trustarc.com

56 © 2018 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thank You!

57 © 2018 TrustArc Inc Proprietary and Confidential Information