GDPR Principles: Lawfulness, Fairness and Transparency
This post represents part 1 of a series of posts covering principles of the General Data Protection Regulation (GDPR). The regulation sets out 7 keys principles that set the foundation for the directives to be enforced by the legislation. Today we will be covering lawfulness, fairness, and transparency. Below are links to the full series of posts:
- Part 1 GDPR Principles: Lawfulness, Fairness and Transparency
- Part 2 GDPR Principles: Purpose Limitation
- Part 3 GDPR Principles: Data Minimization
- Part 4 GDPR Principles: Accuracy
- Part 5 GDPR Principles: Storage Limitation (Coming Soon)
- Part 6 GDPR Principles: Integrity and Confidentiality (security) (Coming Soon)
- Part 7 GDPR Principles: Accountability Principle (Coming Soon)
Personal data must be processed in a lawful manner. What this means for businesses is that you must have a valid legal reason for collecting personal data – it’s no longer valid to collect personal information from people for any purpose without a lawful basis for processing the data. The GDPR has outlined six lawful bases for processing and the collecting and processing of personal information must be covered under one of these lawful bases and traceable back to that basis.
The six covered lawful bases for processing are:
- Legal Obligation
- Vital Interests
- Public Tasks
- Legitimate Interests
Consent – This forms a basis if an individual has given clear consent for you to process their personal data for a specific purpose. Collecting consent is a topic on it’s own and one we will look to cover in a future post, but it’s both the most recommended approach for forming a lawful basis. This basis is also one that requires action on your part, your site will need to be updated to gather consent for you to collect PII. This is an area where a lot of businesses are exposing themselves to liability by not collecting consent appropriately. The most common mistake seen is not requiring an explicit consent. Messages saying something to the extent of, “by continuing to use this site you are consenting to the collection of personal data” are not acceptable. The GDPR is very clear on the need for an explicit opt-in mechanism such as an unchecked check box that your user has to check to opt-in to data collection. Although it may take a little extra leg work to become compliant by collecting data using the lawful basis of consent, it becomes the easiest to demonstrate in the event of a regulatory investigation.
Contract – The collection and processing of an individual’s personal data in the process of fulfilling a contractual obligation is considered a lawful basis for processing. Here is a great example dealing with the implied contract of an online purchase.
When a data subject makes an online purchase, a controller processes the address of the individual in order to deliver the goods. This is necessary in order to perform the contract. However, the profiling of an individual’s interests and preferences based on items purchased is not necessary for the performance of the contract and the controller cannot rely on Article 6(1)(b) as the lawful basis for this processing. Even if this type of targeted advertising is a useful part of your customer relationship and is a necessary part of your business model, it is not necessary to perform the contract itself. 1
Defending the collection of personal data under the contractual basis for lawful processing should be used as a last resort. It is much safer to build in consent mechanisms and develop a clear picture of the purposes for processing the personal data and incorporate them into your consent mechanisms. In the example above, collection of consent to process personal data for the purposes of developing product recommendations would leave an organization protected.
Legal Obligation – It is lawful to process personal data if it is done in accordance with a legal obligation. Legal obligations can be compliance with another existing law or by court order for an ad-hoc purpose. Processing of an individual’s personal data under this lawful basis is not recommended without clear reason for doing so. It is recommended to consult an attorney if you intend to collect personal data as part of a legal obligation. Be sure to take extra care in documenting the processing of personal data under the legal obligation lawful basis for processing. Keep in mind that certain individuals rights such as right to erasure are forfeited when their data has been collected and processed as part of legal obligation.
Vital Interests – It becomes lawful to collect and process personal data when it’s in the vital interest of preserving the individual or other natural persons life. This will likely have the most applicability in the field of emergency medial care, when a person is indisposed and cannot give consent. It is still recommend to give a best effort to obtain consent as lawful basis for processing instead of relying on protections from the vital interests basis. Obtaining consent for personal data processing when a patient is admitted would be recommended. If the patient’s health deteriorates while in your care and has a medical emergency that requires the processing of personal data it is better to have collected their consent upfront than to rely on the vital interests basis.
Public Task – This lawful basis isn’t particularly new as far as data privacy is concerned. Governments and other public entities have always had rules and regulations to follow with regard to the privacy of the citizens they serve. The main changes in compliance requirement brought about for the public task bases is that the specific purpose for processing personal data must have a clear basis in law. The requirements for documenting compliance have also been updated to be in line with the other bases.
Legitimate Interests – The legitimate interests basis for processing can be thought of as a catch all basis. It is the most flexible of the bases and the most prone to interpretation. In order to rely on this basis you must:
- Identity the legitimate interest that warrants collection and processing
- Show that collection and processing is necessary to achieve it
- Consider the impacts and interests of the individuals and balance collection and processing methods against them
Once you’ve established a lawful basis for collecting and processing personal data, you still have to document that process and collection was done in the spirit of fairness. One of the best ways to determine if the principle of fairness is being violated is to look for an injury to an individual or group of individuals. Be especially careful when collecting personal information that relates to a protected class such as race or gender. For instance say you are running a resume aggregating service and collect consent from your users to obtain their gender as part of the completion of their profile. A female data subject submits a right to object request after not being granted an interview for a position she felt qualified for and it is determined that the algorithm your aggregation service uses to match applicants to employers is biasing against women inadvertently. This presence of an injury to a group of individuals would violate the principle of fairness in the collection of that data. It could also be determined not to be fairness in collection in processing if you led the individual to believe their gender was only being collected for informational purposes and was not intended to be fed as a parameter to a resume matching algorithm. Even if no injury was present, this would violate the principle of fairness since deceptive methods were used to collect the information, which cloaked the true intent for its use. Keep in mind that although an injury may be present, that does not necessarily form the basis for a violation of the fairness principle. Turbo Tax is a great example. Considerable amounts of personal information are collected as part of the tax filing process, and at the end an estimate of taxes due is provided to the system’s user. Although there is sometimes a monetary loss associated with using the system, the use of the personal information to assist the user in filing their taxes would be considered fair.
The first principle of the GDPR: Lawfulness, Fairness and Transparency focuses mostly on the underlying reasons for collecting and processing personal information and how it will be used. It outlines the need for a lawful basis for processing and discusses the 6 bases for processing that have been identified. The bases of consent is the most recommend basis and organizations would do well to ensure they establish proper consent collection mechanisms. It ensures that data is collected fairly and that the collection does not present unjust injury to an individual or group of individuals, regardless of how many other individuals are unaffected. It ensures that organizations are being transparent in the way they inform their users on the type of information that is collected and the way it will be processed and used. The responsibility lies within the collecting organization to document compliance with principles of the GDPR. Establishing a process for documenting a lawful basis for processing, fairness, and transparency in collection will leave organizations prepared for regulatory scrutiny, help avoid lawsuits and fines.
This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…
The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate. They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge. Verification is sometimes needed to ensure data is accurate. Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps. Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.
Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more. When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose as well as limited. The onus is on the organization to document compliance with this principle. We recommend documenting a review of this principle each time new personal data is collected or processed. Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.
The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose. There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them. These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original. An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.
The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 (DPA) are complex, in depth, complementary legal documents which act as a code of conduct for businesses involved in the processing of personal data. Henceforth these regulations will be referred to as the GDPR. There are many aspects of compliance with these regulations and the best place to keep up to date and understand aspects of compliance is the Information Commissioner’s Office’s (ICO) Guide to General Data Protection Regulation. This article highlights the aspects of compliance that SteadyHOPS provides.