What Does the GDPR Require? Part 2

The most common confusion surrounding the GDPR (General Data Protection Regulation) seems to arise when data controllers attempt to determine how to comply in handling consent. In this second part of the series, I’ll try to clarify the requirements a bit. (See Part 1 here)

The overreaching premise of GDPR is that data which can identify a “natural person” (the term the GDPR uses in referring to users), also referred to as a “data subject”, either alone or in combination with other data, remains the sole property of that natural person and can only be processed in ways which that person has specifically approved. Data controllers and data processors are merely the custodians of that data and can both be held equally responsible for any shortcomings in protecting, processing or removing that data.

There are six lawful reasons for processing personal data:

  • A Contract (either sales or service) If your Terms & Conditions or Service Contract are sufficient explicit as to the type of information gathered and the purposes for which it will be used, this may suffice.
  • Public Task (actions by public authorities) Functions of government sites, for instance.
  • Vital Interests (actions to protect life or limb of the data subject) This can be a touchy area, so don’t assume… investigate fully, especially in terms of health data.
  • Compliance with a legal obligation A lawful warrant from the Courts, for example.
  • Legitimate interests (when a private-sector organization has a genuine and legitimate reason [including commercial benefit] to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.)
  • A formal consent document (personally, in many instances, I see this as a last resort, )

Regardless of the justification for lawful collection and processing of personal data, it must be clearly communicated exactly what data will be collected and for what purpose(s) it will be processed.

Furthermore, before gathering any personal data, you must present such data collection to the data subject (user), explaining what data will be collected, for what purpose and the data subject must take a positive action to opt-in to allow such collection. No pre-checked boxes opt-out or default opt-in. Old methods like “By continuing, you agree… ” won’t cut it any longer.

You’ll notice that a consent document is listed last. There’s a good reason for that. I highly recommend you don’t jump to the conclusion that you need to rewrite your consent form. In fact, many businesses can be better served by not even utilizing a traditional consent form. It bears investigating your options, as the utilization of a consent form can actually place additional requirements upon you that can be burdensome and expensive to fulfill.



About Doc Sheldon

Doc Sheldon has been providing SEO consulting services for nearly 15 years. His passions are technical on-page SEO and the Semantic Web. Fluent in Spanish, he has also provided consulting services to several large clients, specializing in cross-border operations in Latin America. Early on, he saw exciting potential for those who could figure out what the search engines might do next, and were willing to work within the guidelines set by the search engines. To that end, he first founded his content strategy agency, and later launched his SEO agency, now serving clients on four continents with content, WP website customization and technical SEO services.

Leave a Reply

Your email address will not be published. Required fields are marked *