Lawfulness – Facebook, WhatsApp, LinkedIn
Lawfulness – Facebook, WhatsApp, LinkedIn are all at it!
David Parish – Information Security Consultant
“We have a legitimate interest”
The most active debate, on-going confusion in recent months has been the issue of electronic marketing, Legitimate interest, data harvesting and privacy notices.
Let’s have a whistle stop around some of the current ICO activity and recent data protection issues.
The ICO have reached a binding agreement with WhatsApp, that they cannot share data with Facebook, as their data privacy notice doesn’t specify that they collected the data to share with Facebook. Whilst the ICO has made this arrangement for the UK, other Supervisory authorities have yet to reach a decision on this issue and WhatsApp may not be in the clear yet.
A Cambridge firm of analysis who are utilising automated decision making to profile voters FORGOT to mention that they harvested all the data from Facebook. Facebook shares plummeted. The ICO searched the Cambridge Company with a warrant. The chairman of Facebook declined the opportunity to visit London and explain to parliament how this happened!! Imagine how the Cambridge company would cope if they suddenly received DSAR’s from multiple Facebook users to establish if the Cambridge firm had been processing the data. That could become a nightmare on top of the ICO‘s investigation and could probably result in additional penalties for failing to respond in time.
LinkedIn terms and conditions are quite clear, when signing to the platform for business networking the T&C’s state that data should not be harvested and marketing should not be conducted via LinkedIn (they do offer a separate product for marketing products which this blog does not deal with).
My view
I then find myself seeing commentary on LinkedIn stating that due to someone’s profile that you are able to harvest personal data. You can’t! It gets better when some specialists state that you can then import that data into a marketing software program because you had A LEGITIMATE INTEREST. You don’t. You can’t.
Marketing and legitimate interest
There is more discussion, posts, blogs, views about this one topic and the ICO has stepped in with additional guidance on this topic.
23rd February Elizabeth Denham to the direct marketing association:
Context
‘Firms spending as much time trying to justify legitimate interest are wasting their time.’
March 22nd
The ICO produce 44 pages of guidance specifically about using legitimate interest as your lawful basis for processing data subject.
To summarise the guidance
1. Legitimate interest is one of the most common basis for processing personal information but not always the best.
2. If you are trying to make legitimate interest fit you probably are looking at the wrong lawful process.
3. If your data records, data quality is poor you may need to conduct a legitimate interest assessment (LIA) or conduct a data protection impact assessment.
Also remember that when you have tidied up complied with the legitimate interest, considered or completed a legitimate interest assessment you still have to comply with Privacy Electronic Communications legislation PECR they run in tandem with GDPR.
Finally the ICO Guidance to the GDPR is regularly being updated and any fundamental changes or high impact issues will be subject of further blogs. Particularly the updated guidance on Children’s data due sometime later this month.
by David Parish, Information Security Consultant – IBITGQ Certified ISO 27001 and GDPR implementation Specialist MSC Security and Risk Management