GDPR - Staying in your data processing lane

Evelyn Wolf by Evelyn Wolf   08 Mar


GDPR Data Processing Lanes

There are a lot of GDPR myths going around as well as some misconceptions that are slowly starting to take over. One misconception is that you need consent from everyone you plan to market to. In fact, there are 6 reasons for processing personal data and consent is only one of these. The key is to choose the right one, stay in that lane and adhere to the specific rules of that lane. It’s like driving on the motorway, really!

6 Data Processing Lanes

There are 6 clear legal basis for processing data. Let’s run through them before diving into how to maneuver the lanes.

1. Consent

This is the lane we hear most about in a marketing context. It’s when someone fills out a form on your website and agrees to receive marketing material from you or allows you to process their data in some other way. The text explaining the consent has to be clear and explicit, it should not be pre-ticked, negative (e.g. “If you do not wish to…”) or part of a contract. The latter means you cannot withhold the offer if the person does not consent to receiving further materials from you. It is also your obligation to record consent. This means you have to be able to prove that a person has given it to you.

Consent should be seen as an emergency lane because consent can be withdrawn at any time. 

Consent is something all marketers need to understand. So for a deep dive head to our blog post Consent, Marketing and the GDPR

2. Contractual Necessity

This is the basis of having to process personal data to perform or fulfill a contract. It also includes any steps needed to be taken before a contract is entered, for example if you have to complete an RFP (request for proposal document)  to win a contract or do a credit check before closing the deal.

A good example of using contractual necessity is being able to contact existing customers with information based on their purchase. For example, a kitchen appliance shop can contact me about the fridge I purchased (warranties, how to clean it, when to replace it etc.) but they cannot contact me about cookers. This is not what I purchased and therefore I needed to have opted in to receive other marketing information.

Once a contract is invalid or ends, you don’t have a legal basis for processing personal data based on this lane anymore.

3. Legal Obligation

Legal obligation gives you the right to continue to process personal data if for legal reasons you need to do so. These reasons could be holding on to files for audit purposes, tax reasons or another EU or member state law.

This lane doesn’t give you the right to market to the person. So just because you might be legally obliged to hold on to the data, you cannot start emailing the person with offers. However, should the data subject ask to be forgotten, you are allowed to hold on to the personal data that is needed to fulfill your legal obligation. Just communicate this clearly.

4. Vital Interests

This is not a lane any marketer should consider. A good example for processing personal data using vital interests as a legitimate basis for processing would be if a paramedic opens a patient's wallet or phone to gain information about family members or medical conditions.

5. Public Interest

I like to believe what we do at BusinessBrew is of public interest but Nikita quickly told me it’s not under the GDPR - bah humbug! A good example of public interest is the government processing your data so they can send a large emergency warning to your phone.

6. Legitimate Interest

This is the greyest lane and one to be careful with. Legitimate interest includes the continuation of your business. But this doesn’t mean that you can justify emailing a cold list of people as you like. Legitimate interest has to be in proportion and it has to fall within reasonable expectation.

My email address is publicly available on our website. It is therefore in proportion and expected that I may get contacted with offers on a one-on-one basis AND with the option to opt out of further communication? It would be out of proportion and would not fall within expectation if my email address was added to a blanket marketing email list and I receive multiple offers into my inbox.

This is the lane that your sales team is likely to use for business development on a one-on-one basis (again, no blanket spammy marketing emails, but you don’t send those anyway, right?).

Driving in the right lane

I’m going to explain how to use the lanes just as we would drive on a motorway. You’ll see, it makes a lot of sense and keeps road rage at bay!  

Sticking to the same lane for all data processes

We all know that one driver that sits in the overtaking lane and doesn’t move over. If you make a decision that “consent” is the basis for all your communication with customers, leads, new contacts, influencers and anyone else in your database, then you are that driver (disclaimer: unless this is right for all your processes but you have to be sure of that).

You need to examine the reason you are processing data for each individual action. Most of your customer communication is likely to fall into contractual necessity, leads likely sit in consent and your business development is most likely driving in the legitimate interest lane.

Overtaking wherever it pleases you

I know a few people that drive like this; overtaking left, right, in the middle. They don’t follow rules and just switch whenever and wherever it pleases them. You shouldn’t do this on the road and you definitely shouldn’t do this with your data processes. A good example would be if a lead has withdrawn consent.  You can’t just switch to legitimate interest and keep emailing that person because it pleases you. It neither falls within reasonable expectation on the recipient’s side nor is it in proportion.

If your legitimate reason has ended, you need to start a new data process with a clear legitimate legal basis. To give you an example for this, if a contract has ended you lose the contractual necessity basis. You may try to get consent for follow-up emails, and this is a change in the data process. You now need to follow the rules in the consent obligation lane.  

Follow the rules

Check your mirrors, look over your shoulder, indicate and then move. There are rules on the motorway and here are the rules for your data lanes:

  1. Outline each of your data processes (every lead nurture, event follow-up, customer information, biz dev, legal reasons etc).

  2. Decide which lane works best for each individual process.

  3. Stick to that lane until the data process has been completed (i.e. consent revoked, contract ended, legitimate interest falling out of proportion and / or expectation).  

  4. Only when a data process has ended consider if you have a strong enough reason to move the data into a new lane.

Topics: GDPR

Evelyn Wolf

Written by Evelyn Wolf

Inbound strategy specialist and content creator. She will turn your web presence into a magnet and always has wind in her sails.