Transcript of the Video
Good evening ladies and gentlemen, Suzanne Dibble here, data protection law expert coming to you raw and uncut from the kitchen. Husband is on a rare night out, so I'm keeping the dog company.
So I'm just going to do this really quick video for you. I've not got a tripod, so no doubt the people who were saying, commenting on my shaky camera will not be happy with me, but, there's not really anywhere to put it here.
So I just- what I'm going to do on this little video, which will be brief is just talk about a few of the real common misconceptions that I've noticed that people have that hopefully will help you. So the first thing to note is that you do not need people to agree to your privacy policy. It's not something that you need consent for. You don't need a tick box for your privacy policy at the point of collection of data, say next to your opt-in. It's advisory because consent is just one of the lawful grounds of processing. You don't need consent for example to process because of the legal ground or legitimate interests or the contractual ground or anything like that. So you can process that regardless as to whether people consent or not.
So I have come across a lot of people who think that you have to get a tick box for your privacy policy. You don't. You just need a link to it at the point of sign up and a statement that says something like 'we will collect, use, and protect your data in accordance with our privacy policy or privacy notice.' whatever you want to call it. So that's a bit of a common misconception.
The next one is that consent is the only ground to processing. It isn't. Okay? So do, if you haven't already, please do go and watch my overview video and the marketing video, the webinars that are in a video but they're the longer ones. They're like an hour and a half each. Give you a really good overview as to the basics of GDPR and what you need- if you're processing personal data your very first question is: what is my lawful ground of processing. And if you don't have a lawful ground of processing then you can't process it according to the regulation. But don't forget there are many more grounds of processing than just consent. So the fact that you don't have consent doesn't necessarily mean that you can't process it.
Say for example there is a contractual ground where if you are processing personal data as part of a contract with that data subject, you don't need their consent for that. And also if it's in the lead up to a contract being entered to you don't need consent. So if someone asks you for a quote then you don't have to consent to send them that quote back. That would be under a contractual ground.
There's a legal ground so if you need to process data, personal data for legal reasons then again you don't need consent for that obviously. An example of a legal ground would be if you're processing employee data for social security purposes then obviously you have a legal obligation as an employer to obtain that personal data from them so that you can then pay the relevant taxes on that. So again you don't need to get consent for that lawful ground of processing either.
There's a couple of other grounds that we don't really talk about very much because they're not often relevant. But the final one that we do talk about is the legitimate interest. I've done lots of videos on legitimate interests because it is not an easy area. It's a gray area. It's not black and white. People don't like that. So often people will choose to have a consent ground of processing because it puts the matter beyond doubt. But do go and there are lots of videos that I've done on legitimate interest. So if you're unsure about what that's all about. Go and check that out and also I do cover that in the overview training and the marketing training.
So those are definitely very common ones that I get asked about. The other is to do with processes and controllers. So if you control the data and you decide what you're going to do with that data then you're the data controller. If you engage somebody to process that for you then they're a data processor and they can only act on your instruction.
Now, quite a few people have been asking me: What is my lawful ground of processing if I'm a processor? Well, you don't need a separate ground for processing if you're a processor. It's the controller who has the ground of processing. And then the processor processes it on that basis.
There was also another question in the group that was asking about what if somebody is a controller and a processor. So, for example, someone's accountant, whereby they are processing your data but you are their client and therefore they are the data controller of your data. Then what you need to have there is a processor agreement in place from your perspective because the accountant is processing your data. And then from his perspective, he needs to be giving you the appropriate privacy notice that's telling you what he's doing with your data and that relationship will be governed by the accountant’s terms of business. So you don't need a processor agreement for someone who- you don't need a processor agreement for the controller or someone acting as a controller.
So I think I'm going to keep this really short and sweet. But those are, I think, probably the three most common misconception about lawful grounds of processing. So I hope that has helped some of you who are a bit confused about that. As I say short one tonight.
And I am conscious of the fact that I have promised you-you website people, I'm loving your discussions in the group. But I'm very conscious of the fact that I have promised you a video for you. The problem that I have is that it's going to take a bit of preparation to do that because I want make sure that I do a really solid overview for you. So what I'll probably do, I'm probably going to do that as a live stream and I'd love you to be on that- be able to be on that live stream to ask me questions and listen to what I have to say on that. So I don't know when that's exactly going to be, probably early next week. But that is still on the list.
Thanks for adding suggestions for videos to the sheet in the group. I know there's still a fair few to work through. And that is it, I think. So I hope that's helped some of you. And that's all I'm going to say. Those of you who have started to book for the implementation day next Tuesday, really looking forward to that. And yeah exciting to see how that will actually work out. I think it's going to be brilliant but we will see. So I'll leave it there. I think that was my husband just returning back from the pub. So I better go and see if he had a good time. And I'll catch you later.
