GDPR has changed global communication processes for businesses, from marketing and outreach to application processing. Companies have reviewed their processes ensuring they are GDPR compliant, with a great emphasis on ‘consent’.
GDPR provides for six legal bases to process data, one of which is consent. GDPR has raised the bar for valid consent worldwide. If a company plans to rely on consent, it must be freely given, specific, informed and unambiguous through an affirmative action (no pre-ticked boxes, a practice way too common in many apps and services). Individuals must also be able to withdraw consent at any time. Where there is a power imbalance between parties (such as an employer/employee) consent may be invalid.
The DataFlow Group requires each applicant to complete and sign a Letter of Authorisation which authorises DataFlow to conduct a verification – at the source – of the documents presented.
There are other conditions, too, all of which requires consideration about the necessity of the activity, i.e., is it possible to achieve the same goal in a way that interferes less with the individual’s rights?
The two most relevant legal bases in a commercial context are likely to be where the processing is necessary for the performance of contract and where the processing is necessary for the purposes of the legitimate interests of the party in control of the data (the applicant) or even a third party (for example: a Regulatory Body).
An example of where processing is necessary for the performance of a contract is when an applicant requires a PSV verification report for the purpose of registration with a Healthcare Regulator and the regulator relies fully on DataFlow to conduct this verification as part of the wider applicant registration procedure. DataFlow will need to process the applicant’s personal details such as address, passport number and date of birth in order to deliver the service. This does not mean that DataFlow or the Regulator can use the data for other purposes.
Processing on the basis of ‘legitimate interest’ is harder to explain and often less clear, which has meant that in certain circumstances it has been open to abuse. However, if a company is going to rely on it then they must explain to individuals how they’re going to use the data and specify what their legitimate interest is in doing so. In that way they ensure there is no prejudice to the fundamental rights of the individual.