Now, we must get ready to embrace the age of the agreement economy.
GDPR is a good thing. We should get that out of the way early on. We all want to know where our data is going, and how it is being used, and the introduction of GDPR means we will all be better informed, and ultimately more secure.
Because of GDPR, all organizations handling or processing personal data on EU residents will now be required to show proof of their compliance with new privacy regulations. As part of these adjustments, making sense of the new regulatory jargon and its practical applicability to various common data processing scenarios is essential.
Alternatives to consent
In a nutshell, consent remains a lawful basis for processing personal data. However, under the GDPR, valid consent becomes significantly harder to obtain and prove. Consequently, why not explore using legitimate interests or performance of contract as a basis for data processing instead?
By now, most HR departments have realised that continuing to rely on consent as a legal basis for employee data processing likely leads to GDPR violation. Consequently, HR departments are looking at other reasons for processing, such as legitimate interests.
HR departments certainly have legitimate interest in being able to provide employees with healthcare, as well as other benefits, such as expenses or reimbursements, for example. These activities are in accordance with local laws and compliance requirements preceding and extending the GDPR. So, while the legal basis for salary payment-related data processing is on performance of contract, with data processing for tax withholding based on legal obligation, all other HR data processing needs have a legal basis of legitimate interest.
Performance of contract
Progressive publishers and consumer marketers alike are moving away from consent, and embracing performance of contract in its place. For example, when previously a publisher requested consent for behavioral advertising execution on its site in exchange for free-of-charge access to content, such a mutual value exchange can be constructed as a service agreement between the data subject (site visitor) and the publisher.
Governing the data subject’s rights and obligations to the use of their personal data under a service agreement is more manageable, better structured, and more transparent to both parties.
A service agreement constitutes a legal contract, which allows for digital marketing data processing to use performance of contract as a legal basis.
Disclaimer: Ardoq does not guarantee, nor assume, any responsibility for your compliance with any regulations. Any assessment of your level of compliance is based on the data you provide.
Download now the New Enterprise Architecture Magazines by Ardoq: