INTRODUCTION
There are various legal basis for holding data and each has its own factors to consider.
Item a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Item b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Item c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Item d) Vital interests: the processing is necessary to protect someones life.
Item f) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Item e) Legitimate interests: the processing is necessary for your legitimate interests . But the individuals interests overrides those legitimate interests.
Generally Contact is the easiest because you can address all the Data Protection issues as part of your normal contract (with staff for employment, or suppliers for services, or customers)
There may be issues however where you want people to have the option to decide. You want them to Consent
CONSENT
The law has particular conditions with Consent
Consent must be:
Freely given, specific, informed and unambiguous
Given by a statement or a clear affirmative action indicating the data subjects agreement to personal data being processed
Practical examples:
Ticking a box when visiting a website
Choosing technical settings for information society services or other conduct clearly indicating acceptance in a particular context Pre-ticked box, silence, or inactivity should not constitute consent
| Right to Erase | Right to Portable | Right to Object | |
| Consent | YES | YES | Right to withdraw consent |
| Contract | YES | YES | NO |
| Legal Obligation | NO | NO | NO |
| Vital Interests | YES | NO | NO |
| Public Tasks | NO | NO | YES |
| Legitimate Interests | YES | NO | YES |
MANAGING CONSENT
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
the name of your organisation
the name of any third party controllers who will rely on the consent
why you want the data
what you will do with it and
that individuals can withdraw consent at any time.
You must ask people to actively opt in. Dont use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (granular) options to consent to different purposes and different types of processing.
Keep records to evidence consent who consented, when, how, and what they were told.
You can address all the above if the document asking for Consent also explains, refers to, or has a link to your Privacy Statement, where the data-subject can find out more about the data you hold, the purpose and their rights.
RENEWING CONSENT
There is a lot of confusion in this area.
Question: If you have already got full documented consent (for the purposes and circumstances that you have used the data and will continue to use the data) do you need to get it again?
Answer: NO
Question: If you have already got consent (but it is not documented, unreliable, you are not sure how or why you got it, and whatever purpose was then it probably not the same now) do you need to get it fresh again?
Answer: YES
Beware using emails that you should not have in the first place to try and get consent has resulted in fines in the UK. Also emailing people who have said do not email me has resulted in fines in the UK. Jersey however is generally more supportive and you are less likely to get a fine unless you have done something seriously wrong.
The Jersey Regulator has transitional arrangements to allow some time for people to switch from old data protection to new data protection.
See https://www.oicjersey.org/wp-content/uploads/2018/05/2018.05.15-Guidance-on-Transitional-Provisions.pdf
Page 5, Para 10 is the Regulator making the point above, if you are adhering to old data protection and FULLY COMPLY and NOTHING HAS CHANGED then carry on. Just make sure you have all the records you for the need new data protection by 25 May 2019 (see Page 4 of the guidance)
So whats the impact.?
Well you need to decide for yourself, but if you were legal, decent and honest with Data Protection 2005 you can carry on for now, but in my opinion youve got 12 months to update everything to fit the new standards of Data Protection 2018.
EXAMPLE OF CONSENT
This is a bit artificial, but hopefully illustrates the points above.
Please tick the following boxes for each of the services you would like
| YES / NO | Our weekly newsletter By agreeing to this we will use your name and address data to send you a newsletter. You can unsubscribe at any time. This data is not shared or used for any other purpose. For more information about what data we hold see our Privacy Notice. Or contact us |
| YES / NO | Our monthly prize draw By agreeing to this we will use your name and address data for a draw. If you are a winner we may share this with the media to celebrate your good fortune. We will contact you before sharing information about you in the weekly newsletter or contacting the media. For more information about what data we hold see our Privacy Notice. Or contact us |
| YES / NO | Our valued customer discount promotions By agreeing to this we will share your name and address data and interests with other organisations offering goods and services like ours. We do not control how those organisations use your data. If you do not wish to be contacted you can register under mailing preferences https://www.mpsonline.org.uk/ For more information about what data we hold see our Privacy Notice. Or contact us |
The above may be paper-form, brochure, website, email. What-ever medium you use make sure you have evidence of consent and only use the data as agreed.
FURTHER READING
https://ico.org.uk/action-weve-taken/enforcement/honda-motor-europe-limited/
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/ico-warns-uk-firms-to-respect-customers-data-wishes-as-it-fines-flybe-and-honda/
Link to Jersey Law
https://www.jerseylaw.je/laws/enacted/Pages/L-03-2018.aspx#_Toc506561179
