Data Collection in the GDPR World Using Consent & Legitimate Interests
Last week in our first of a series of pieces in the lead up to Brexit, we looked at data protection issues. This week we will explore data collection.
When the General Data Protection Regulation (GDPR) act was introduced in May 2018, it generated a lot of worry and questions about how data would be collected, processed and stored, along with strict new consent rules for data controllers. While most businesses have now become familiar and comfortable with GDPR, some of these concerns have arisen again with many now unsure about whether this law will still apply to them following Brexit.
In short, given that the UK was one of the key contributors behind the original creation of the GDPR , it has already been incorporated into the UK’s domestic law to continue functioning alongside the Data Protection Act 2018, following our withdrawal from the EU.
Therefore, in this article we are going to focus on the consent and compliance issues around collecting data and responses from your survey respondents in the GDPR world.
Once again, before we begin it is important to point out that these answers represent the current opinions of our data collection expert and shouldn’t be construed in any way as offering actual legal advice.
a) When collecting survey data, do you need consent?
As a survey creator you are usually a data controller, which means you are responsible for ensuring a lawful basis for processing under GDPR.
Some customers will choose to obtain the consent of their survey respondent (as the data subject). If you are going to rely on consent, you should ensure that this consent is:
- Freely given;
- Intelligible, in an easily accessible form, using clear and plain language;
- Able to demonstrate and prove that the data subject made this consent;
- Able to allow the data subject to withdraw their consent at any time;
- Clear in communicating what you will do with the data.
If you are collecting personal data using one of SmartSurvey’s questionnaires, and your lawful basis for processing is consent, then you must ensure that:
- You meet all the requirements for consent; and
- If you haven’t already got the data subject’s consent in some other way, make your survey’s consent a compulsory question, which is included on the first page of your survey, ideally as the first question. The reason for this is because as soon as a survey participant clicks on the next page button or submits your survey, his/her survey responses will be stored in your account allowing you to see those responses.
b) Are there any methods you could rely on to collect survey responses?
The lawful bases for processing are set out in Article 6 of the GDPR. As outlined in this section, you must rely on one of the following as a basis for lawfully processing personal data:
- Consent of the data subject: where an individual has provided clear consent for you to process their personal data for a specific purpose.
- Contract: where processing is necessary for the performance of a contract with the data subject, or essential during the steps taken before entering into a contract.
- Vital interests: where processing is required in order to protect the vital interests of a data subject or another person.
- Legitimate interests: where processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
- Legal obligation: where processing is essential for compliance with a legal obligation.
- Public task: where processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller.
c) Why is it important to be clear about how you are processing and collecting data?
It is crucial in order to comply with Principle A of the GDPR: The Lawfulness, Fairness and Transparency Principle, as well as various other obligations under GDPR. This principle is concerned with the lawful handling of a data subject’s personal data, in a way that is both fair and as transparent as possible with the way that the data is handled.
d) What should you look for in a software provider, to ensure you are recording data collection processes in the right way?
You should consider an organisation that helps you to comply – essentially a business that provides you with the means to carry out the lawful basis you require for collecting data.
You also want to consider best in class providers, who are more likely to be GDPR compliant, with the appropriate technical and organisational safeguards including good security measures and third-party accreditation such as ISO27001.
e) What are the ramifications of collecting data and responses in the wrong way?
- Mistrust of your data subjects leading to reduced number of responses.
- Potentially facing disciplinary actions in your organisation.
- Reputational damage to your organisation which can impact your business.
- Fines from a supervisory authority (up to 20 million EUR or 4% of annual global turnover – whichever is higher).
- Civil lawsuits from organisations and data subjects.
- Committing criminal offences in accordance to national legislation (UK’s Data Protection Act 2018), some of these include: unlawfully obtaining personal data (s170, DPA 2018) and re-identification of de-identified data (s171, DPA 2018).
This concludes today’s look at data collection. Next week in the final piece in our series we will be wrapping up with a look at data security. So do make a note to catch up with us again then.
Disclaimer: This article post does not constitute legal advice nor does it guarantee compliance with any legislation including GDPR. It is only intended as background information to supplement your knowledge and awareness. We recommend you obtain the advice of a suitably qualified individual for guidance and ensuring compliance.