Know How to Process Data Under GDPR? Then Pass This Quick Test.

Some quizzes tell you whether your personality is more a “spring” or an “autumn.”

Some tell you whether or not the Data Protection Authority has the legal right to fine your company for millions of dollars.

Guess which one this is.

It’s time to play, is this GDPR compliant?

1.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

2.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

3.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

4.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

5.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

6.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

7.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

8.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information

9.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

10.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

11.

1. This is compliant.
2. This isn’t compliant.
3. Hmm…we need more information.

Answer Key

1. B
2. B
3. B
4. A
5. B
6. B
7. A
8. B
9. A
10. C
11. C

If you got…11 out of 11

Congrats! You’re a GDPR superstar…or something.

Titles, and accolades, and badges aren’t important. But GDPR compliance very much is.

And it sure seems you know your way around processing personal data (unless you guessed)—be it for cookies, or emails, or sensitive data.

So pat yourself on the back. Share your wisdom. Ready your coworkers. And reread the explanations below, if there’s anything you’re unsure of.

If you got…anything less than 11 out of 11.

Welp. We get it. This stuff is hard.

You might want to keep reading….

Miss one? Guess a few times? Need a reminder? Here’s a quick breakdown.

1. B

Hey look it’s that example you may have seen around the internet!

That’s right friends—don’t pre-check your consent boxes. People have to give consent actively now.

“I just meant to click the “next” button. I didn’t even see that checkbox. Now I’m on your email list?”—is never a thing your users should think.

Here’s what GDPR says on processing consent, to make it official:

Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her – Article 4

Clear, affirmative, action. Keep those boxes blank.

2. B

Nope, non-compliant.

The key here is something called “bundling”—which isn’t allowed under GDPR. Here are a couple different citations that give this a “no.”

“If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters (…)” – Article 7(2)

“Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them” – Recital 32

So, attending an event? That’s a clear “different purpose” than a monthly newsletter. Consent has to be asked separately.

3. B

This looks like our standard, persuasive opt-in form. And this is all kinds of non-compliant.

First off, it’s asking to collect a lot of information that isn’t necessary for getting the data subject to their goal (aka: sending them the PDF they’re signing up to receive). This goes against the GDPR requirement of data minimization, or “privacy by design.” The best practice here is: if you’re collecting information, and it’s not clear why you’re collecting it, you should be making that known to your users.

Facebook offers a great example of how to do this right:

Plus, this example, again, is bundling.

It’s slightly less egregious bundling than the prior example. Here, by agreeing to receive the PDF, you’re at least giving consent to receive content. An email list subscription and a download, in this respect, are of a similar “purpose.” Still—phrased as it is, you’d be hard pressed to frame them as “the same.” So consent should be given separately.

4. A

Hey no this one is pretty good!

Now you couldddd make the argument that they don’t NEED to collect a company name, or phone number, here. So, adapting for privacy by design, those fields should be omitted.

But considering your user goal here is to test run a CRM, and you know, manage client relationships for their company—it makes sense that the SuperOffice would want to know who that company is.

So we’ll give ‘em a pass.

Also, check out how pretty and segmented and unchecked those boxes are. They’re asking for an explicit opt into their privacy policy. They’ve asked for separate, active consent.

When GDPR is instated, this should fly.

5. B

They. were so. close.

Until that second checkbox and the mention of third parties.

Under GDPR, any third party you want to share your data with must be named. “Trusted third parties” is not clear enough. Categories don’t work. If someone is going to opt-in to hearing from third parties, they have to know exactly who those parties are.

6. B

So, the good news is….they got third parties right.

They got unbundled consent right.

But this is an opt-out, not an opt-in.

You’re going to get contacted unless you check “no.”

That doesn’t sound like affirmative, active consent to me.

7. A

10/10.

Woolworth NAILS granular opt-in.

If you’re wondering why I got irrationally excited about this example—this is something a lot of forms screw up.

A common mistake is to ask for consent to send materials, but to forget to separate the “how.”

So a reminder: if you want to send texts, you need specific consent to send texts. If you want to send emails, you need separate, specific, consent to send emails.

Woolworth also tells you exactly what kind of materials you’ll be receiving from them. That’s a good idea, both for GDPR compliance, and for persuading your audience to sign on up.

8. B

A moment of silence for the soft opt-in, for GDPR has killed it.

Cookies, with unique identifiers, are personal data under GDPR.

And as you remember—personal data requires active, unambiguous, specific, yada yada yada consent.

This means the whole “by using this site you agree” nonsense is no longer legal. And you can’t start running cookies until you get an affirmative yes.

(This is a big, complicated, messy subject—that has to do with the intersection of GDPR and ePrivacy. You can read more about it here).

9. A

This does everything number 8 did wrongly, right.

It tells you exactly what those cookies are used for. And then it gives you a clear option to accept, or not accept them.

And for a final flourish, it let’s you expand and select which cookies you’re okay, and not okay with.

It’s a thing of beauty, from a legal standpoint.

(From a marketing standpoint, though—you haven’t given your users much of a reason to opt in or not. Maybe a better explanation of the benefit of your site’s cookies, might help in that endeavor).

10. C

So, kind of a trick question.

As we mentioned, if we’re talking about GDPR-approved consent—this fails. Pre-checked boxes are a “no.”

But if we’re asking ourselves “Does Lancome have the right to email this person?”—we have a few more things to evaluate.

Because in case this weren’t tricky enough, consent is not the only way to lawfully process personal data.

Enter: the legitimate interests condition.

But don’t get excited. Processing data because of perceived “legitimate interests” is tricky.

This condition is more for “I needed to process their account number to perform fraud prevention services” situations.

Not “I legitimately thought they were interested so…I sent them a bunch of emails without consent” cases.

But one things that seems to give people the go ahead has to do with the data for existing customers.

Here’s the line in the legislation they’re talking about:

“Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.” –Recital 47

The key here is to ask yourself: “Would, performing this action, lead me (the data subject) to reasonably expect my data will be used in this way?”

So, if I buy a shirt—would I reasonably expect that I’ll get an email confirming my purchase? (Without explicitly consenting to receive emails?).

Yeah, you’ve got a pretty good case legitimate interest applies here.

What about a notice that there’s a huge discount next week on a similar product?

Your case is getting a little thinner.

Weekly emails?

Paperrrrr thin.

To be honest, past your standard order confirmations, we wouldn’t risk it. Asking for the consent (properly!), is the safest way to ensure your bases are covered.

But if you realllyyyyyy want to use the legitimate interest condition to process personal data, we beg you, read this first.

11. C

ANOTHER FUN TWIST ON THIS ONE.

GDPR outlines a separate category of data called “sensitive personal data.” And the processing requirements are different for this type of information.

I’m going to admit to you right now, this is not the best example. So it was kind of a cruel question, and it is kind of a stretch. (There’s a complicated discussion happening right now as to at what point someone’s weight counts as health data from a data privacy standpoint, if you’re interested).

Here’s the exact language on what data counts as “sensitive,” from Article 9:

Sensitive personal data means personal data consisting of information as to –

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

So let’s say this app collects what, for sure, counts as data about a subjects “physical or mental health or condition.” It asks about prior medical conditions, it logs your weight and blood pressure, or sleep patterns, over time.

If it collects information that counts as sensitive personal data, then what?

Were the personal data for this app non-sensitive, this seems like a pretty compliant intake form. It seems like it should be a clear legitimate interests case.

You’re signing up to use the app. You want to use the app. You consent to using the app.

And the app tracks your fitness.

Of course, it seems legitimate to you, that they ask for data on your fitness. Plus there’s an accessible privacy policy and terms of conditions statement there if you want to know how that data is used.

But there are additional processing conditions we have to follow, if this is “sensitive personal data.”

1. Legitimate interests no longer counts as processing condition.
2. If you choose to process based on the condition of consent, it doesn’t just have to be “unambiguous” anymore—it has to be “explicit.”

This means just clicking a “Sign Me Up” Button isn’t good enough.

GDPR says you need a statement that would “specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer” (Directive 95/46/EC, Article 29).

Or, as the ICO breaks it down:

This suggests that the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.

AND THEN, once people know allllllll of that—you need to solicit an explicit action from them. Like, ticking a box that says “I agree” or “I consent.”

Basically: they should know everything you’re doing with that data. And they should tell you clearly they’re okay with it—with an affirmative action.

SO, if this is sensitive personal data—just throwing your privacy policy, and terms of service, in small print after the form isn’t enough. You’d have to make sure people had a chance to read it, and then checked a box or clicked a button that says “I agree.”