If an organisation has not obtained consent to record calls for training purposes, can it cite 'legitimate interest'?

Some sectors, such as the insurance industry, are required to do so from a regulatory perspective, such as the FCA, and so recording the call does not present a problem.

But for unregulated businesses, this may present an issue to be thought about. Capturing consent is not mandatory, nor does GDPR say Consent is required for audio recordings. But reasoning, such as Legal Obligation, Performance of a Contract or Legitimate Interest (with appropriate weighting) could very be used as the lawful basis. Nevertheless, GDPR would still require this to be made clear to Data Subjects.

Any recording could potentially contain personal data and the only time Consent is needed explicitly, is if the Personal Data is extracted as part of a tool, technique or technology used explicitly to identify the caller.

While legal, contractual, police, health and regulated entities fall into the other lawful bases, ‘training purposes’, or ‘training and monitoring purposes’ are likely to fall into the legitimate interest category.

Further, it is not only important to identify the correct legal basis under GDPR, but thought too should be given to the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, and associated case law, which are key for monitoring and recording.

In March, the French data protection authority (‘CNIL’) announced it had issued a formal notice to DIRECT ENERGIE, Société Anonyme, for failing to obtain consent for the collection of customer usage data from its Linky smart meters. CNIL ordered that Direct Energie were to collect valid consent within three months of receiving the notice.

The CNIL decision, based on French law sets down the likely approach of other supervisory authorities within the EU.

The issue which CNIL have is that at the time customers had meters installed, they were asked to give only a SINGLE CONSENT for both 1) the installation of the meter 2) collection of hourly electricity consumption data. The purpose of this data was to enable determination of various tariff benefits.

Installation of the meters was mandatory, and so consent was not relevant. Therefore, the second limb of the requests, i.e. the consent to data collection, was invalid, because it not free itself as separate from the designation of the meter. Nor could it be considered informed and specific, as it was clustered together and dependant on the overall contract.

It is for organisations to ensure their systems reflect the new anti-profiling right of data protection by design, yet clearly Direct Energie failed in this regard. Further, it did not have a legal basis for processing the data, as the hourly consumption data was not necessary for the contract to be fulfilled, its customers are billed monthly.

Further, an organisation which seeks to rely on legitimate interest, is required to perform a legitimate interest assessment to enable it to balance those interests with the rights and freedoms of the individual. The collection of hourly data was, according to the CNIL, particularly intrusive and detrimental to the privacy of the individuals and in fact disregarded their rights and interests.

Direct Energie did not help themselves by publishing within its privacy notice that the hourly rate data would enable the customer to benefit from tariff deals, yet there were no tariff offers based on hourly consumption.

CNIL thereby concluded that the processing had no legal basis, since it was not based on valid consent, and that other possible legal bases failed.

Fortunately for Direct Energie, so long as it complies within the deadline set down by CNIL, it will not issue any penalty.

GDPR Article 21 sets down that an individual has the to object at any time to the profiling of personal data for direct marketing purposes. The similarities with this case, while subtle, make clear that prior consent is required due to the sensitive nature of energy consumption data collected, in all future cases where companies wish to have a better understanding of their customers’ behaviour by analysing their consumption habits which, ultimately, is linked to marketing strategies.  Organisations must therefore ensure they adapt their systems and adopt a way of working to ensure that any marketing or perceived 'customer benefits' which essentially form the basis of their own analysing data, is separate from the overall contract that their customer-base has entered into.

Facebook in particular, given the collection methods it uses, will have to change the way its marketing/analytical/statistical data is separated from its core function as a social media 'platform'.

There are effectively two points to consider here, firstly, the requested consent for data usage during the retention period and secondly, how the business manages the information collected in order to document and evidence as compliance.

The business should consider things such as:

• how the data is stored, i.e. primary storages such as databases; secondary storages such as email, employee contact records, printed materials and spreadsheets etc; thirdly, backups.
• The stage at which a contract occurs - this may affect the data retention

An individual who contacts a business with the intent of custom will often expect to be contacted back by the business. It would be wise for the business to record the contact details and make a note of the time and the conversation and ask the customer permission to send out information. There should also be mention that once the transaction has completed, their personal data will be destroyed, and in what time frame, taking account of any warranty periods etc.

Where a Controller uses third party systems to process personal data, the responsibility for consent still lays with it. Controllers bear the onus of acquiring GDPR-standard consent (or indicating any other lawful basis for processing the data), demonstrate it to the regulator and ensure it can be withdrawn as easily as it was given. Therefore, selecting Processors who are themselves GDPR-compliant and can support the controller’s obligations is key.

If the third party has processing purposes that are separate from the Controller's purposes, then the third party is deemed a Controller under Article 28.10. Here, the third party must secure its own legal basis for processing, whether by consent or another legal basis.

The Controller may update its contracts to seek certainty that its Processors are adhering to the same GDPR standard and that any breach can be indemnified by the Processor. Meanwhile, if the Processor believes the Controller infringes GDPR, they have an obligation under Article 28 to inform the Controller and record the notification.

Cloud solutions tend not store data for small companies on its servers. Instead, the data is stored in data centres in the US (such as in the case of Dropbox). Similarly, OneDrive enables some users to locate their data within the EU but general users do not have that option.

This makes it tough for organisations to comply with GDPR requirements, particularly where there is a cross-border transfer of data. Some of the larger software providers, including Microsoft Azure, Google and AWS have implementing 'GDPR-ready' platforms. Microsoft also offers a compliance portal, while its OneDrive - as part of Office 365 – means the location of the data is tied to the Office 365 billing address. Sharefile by Citrixis another which enables storage within the EU jurisdiction.

Away from these platforms, it is of course possible to encrypt the data before it is stored in the Cloud. That way, it matters less the location of the server, as the Cloud service provider, such as Dropbox, will have no access to the data.  Encryption and holding keys before the data leaves the organisation is perhaps the most sensible way to overcome such an issue, while pseudonymising data in cloud SaaS applications should also be considered.

When a data subject challenges the accuracy or legitimacy of you holding their data you must restrict processing, including access, while you investigate. But, this leads to questions as to how this is this being done. And, more importantly, what are YOU doing about it? The reality is not many are actually doing this yet, and while systems can be configured to do so, very few applications comply with privacy by design. Practically-speaking, databases should only be accessed by a designated few while the redaction investigations are performed. This means only authorised staff can access personal data. If the data is used for analytics purposes, it should be anonymised.

Under the Privacy and Electronic Communications Regulations (PECR), it was possible to use lists of people who purchased good or services in the past and give ‘opt-out’ of future mailings.

Under GDPR is this no longer valid because there is no clear and active consent, as it has been assumed or implied. Soft opt-in, however, is not changing, and so this can still be used.

The regulation is not merely for the 28 EU-member states (27 after Brexit). It is for the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. GDPR is being integrated into the 1992 EEA Agreement.

And not only does it affect EEA nations, but any organisation across the globe offering goods or services to European data subjects OR, organisations controlling, processing, or holding personal data of European nationals are also captured.

While GDPR will bring harmonisation across the 31 EEA nations, the new provisions make European data protection law even more different from the laws of 'third countries', presenting a big challenge for international business and litigation.

For example, US courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. By comparison, Europe places a greater importance on privacy, and is a fundamental right under article 8 ECHR.

The key changes including in the General Data Protection Regulation (GDPR): 

• The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.

• Even though the UK will not be in the EU in post-Brexit, we will still have to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.

• HR Data on the Cloud

  

  There are many outsourced-HR companies, and so naturally, they hold personal data such as an individual’s Name, Address, DOB, NI, Bank Details, Salary etc. Some HR companies provide software or Apps to process payroll, pay invoices and employee expenses, bonuses etc.

   Care needs to be takes as to whether the servers for these apps are based outside the EU or EEA, for example, the United States.

• Legal Basis for Processing

  Does a data processor require a legal basis (beyond the contract it has with the data controller) in order to processes data provided by the data controller?

  The processor has to consider the reasonable expectation of the data subject and ensure a legitimate interest is pursued.

  A contractual basis will only work if there is a contract with the data subject, therefore there would need to be legitimate interest. However, the purpose of the processing should be limited solely to the process categories intended by the contract with the controller.

• OBTAINING CONSENT

   

  When seeking to acquire informed consent the default solution tends to be that you can obtain a written consent from each and every customer. This is of course perfectly fine, if it is manageable. But even  overcoming this task leaves the burden of gathering the consent documents and filing them, followed by ensuring the data is correct etc.

  Remember, consent is just one of the ways in which processing data might be justified. Therefore, consider the processes that you are seeking consent to carry out, and look at alternative lawful bases.

• STRIKING A BALANCE

  

  The Article 29 Working Party (WP29) published an assessment of the balance between legitimate interests of employers, and the reasonable privacy expectations of employees. In which it outlines the risk assessment posed by modern working practices, where new technologies enable more systematic processing of employees’ personal data at work, which bring about challenges in regards to privacy and data protection.

  Processing of personal data on the use of online services and location data from a smart device, are much less visible to employees than other more traditional types such as overt CCTV cameras, yet they encapsulate our lives more so.