Do You Have a Legal Basis for Processing Customer Data?
Companies collect and process customer data every day. However, privacy laws often limit how companies can use this information—or even whether they can process it to begin with. Any business that depends on processing customer information (meaning every business) should to be able to prove that the law allows them to do so. Is your company in the clear? If privacy officials asked if you had a legal basis for processing data collected from your customers, could you provide evidence that you did?
What is a Legal Basis for Processing Data?
First of all, how does the law define a legal basis for processing data? The GDPR addresses this topic directly and gives six examples:
- Consent: when a customer has explicitly stated they allow the company to collect and process their data
- Fulfilling a contract: when collecting and processing data is necessary to fulfill a contract between the two parties
- Legitimate interest: when a company uses collected data in a way that consumers can reasonably expect. This is not a get out of jail free card when it comes to processing data, however, and each company should decide how best to interpret this to respect customer rights.
- Vital interest: when collecting and/or processing data is necessary to save someone’s life. This legal basis for processing data rarely surfaces outside of emergency medical situations.
- Legal requirement: when collecting and/or processing data is required for a legal action, such as a background check
- Public interest: when the government or a party acting on the government’s behalf is collecting and processing data for a purpose dealing with the public interest
Companies are also required to make their legal bases clear from the very beginning. For example:
- Companies must establish a legal basis for processing data BEFORE processing the data in question
- Companies must always be able to provide evidence that their basis for processing is legally sound
- Companies may only use one legal basis at a time for each instance of processing data
Establishing Your Right to Process
Establishing your right to process customer data consists primarily of determining which of the six points above applies. That much is easy. However, the next steps involve a little more work.
First, you have to communicate your legal right to the consumer. Make it clear why you’re collecting and processing the information they’ve provided to you. This can be as simple as adding a sentence or two to a personalized marketing email. For example, a home supply store might send an email that says something like, “Hi! We noticed you bought a hand mixer from us a month ago. Just for you, here’s a special offer for an extra set of beaters!” This message continues the store’s marketing efforts while also explaining why the customer is receiving this specific email.
Second, you have to be able to establish your legal basis for processing data when the relevant privacy authorities ask. They can ask to review your records at any time. Additionally, as recent news stories have shown, violating the GDPR—or not being able to prove your compliance—comes with expensive consequences. You need an easy-to-understand, reliable method of establishing your right to process data—and you need it now.
Why is this so important? Because even if a privacy law isn’t being enforced yet, its requirements may still apply. Take the CPRA for example. Enforcement of the CPRA began on January 1, 2023, but its language applies to all data collected and processed during a ramp-up period starting on January 1, 2022. You can’t afford to wait until the effective date to be in compliance—you have to start now!
Rising to the Challenge
What’s the best way a company can establish and defend its legal basis for processing data even as privacy laws continue to evolve? They can use a software solution with a secure record of every legal activity conducted to process customer data—like 4Comply. 4Comply’s legal vault captures every instance of data processing in an easy-to-understand, unchangeable record. Better yet, when privacy laws change and the legal bases for processing shift, it’s easy to update 4Comply’s system to reflect the new requirements. Using 4Comply is the best way any business can rise to the challenge of establishing a legal basis to process customer information.
Want to learn more about what 4Comply can do? Contact us for a demo today.