Joe Robertson is a family lawyer and Vice President of Hampshire Law Society. He is a member of the Society of Conservative Lawyers and a former Conservative election campaign manager.
After all the hype, scaremongering and panic the General Data Protection Regulations (GDPR) have today, become enforceable.
As a lawyer with voluntary involvement in a number of small-to-medium-sized organisations, I have been concerned by the many and various ways in which GDPR has been misinterpreted. Readers will no doubt have noted the wildly differing messages they have received from organisations holding their data, about how those organisations will continue to hold it.
Over the last few days my concerns turned to local Conservative Associations, particularly smaller, less well-resourced ones, when I received an email from a small Association I am a member of. Like so many smaller groups this particular Association appears to misunderstand the lawful basis on which they hold members’ information.
It’s not merely an academic point. The consequence could be dire for membership retention for what are already small organisations.
This particular Association is relying on “consent” as the lawful basis for processing membership data, including contact details. They have required all existing members to print out an email attachment, populate it with personal contact details, tick all sorts of consent boxes, sign it and return it by post to the Secretary by 25 May 2018. Failure to do so, they say, will mean, “that after 25th May… we will not be able to use your personal data; so for example we will not be able to let you know about forthcoming events or renew your subscription.”
Anyone who has had any responsibility for communications within a member organisation will know that the percentage of members who are likely to respond in this way will be significantly below 100 per cent. Presumably then the Association will stop communicating with all of those who don’t respond, as set out in their recent email and refrain from sending them membership renewal reminders.
Not only does this have dire implications for small-to-medium-sized Conservative associations, but national consequences for membership levels for the Conservative Party. National membership is, after all, the aggregate of local association membership.
The drastic steps small organisations such as this Association believe they should be taking is centred on the huge misunderstanding of “consent” as the lawful basis for processing personal data. Certainly, if consent is to be relied upon, the data subject must take a positive step to give that consent. It cannot be inferred from silence; the Information Commissioner’s Office guidance says it must be, “unambiguous and involve clear affirmative action.”
But even using the consent option, my Association is making a rod for its own back by making the consent step (printing, completing and posting a new form) far more onerous than it needs to be. But here is the key – the lawful basis of consent is just one of a range of lawful basis for processing personal data, and it is really aimed at commercial organisations or where an organisation is seeking to do something above and beyond what the data subject might expect.
There are two much more appropriate lawful basis for Conservative associations that do not require their members to do anything and do not risk haemorrhaging members: ‘Performance of a Contract’; and ‘Legitimate Interests’. If any one of these apply then consent is not needed, and associations can continue to send out notices about events and make contact about membership renewals.
When a member joins an Association, a contract is formed. There are certain obligations that the member is required to perform and there are certain obligations the Association is expected to perform. The contractual obligations do not need to be written down (although many of them are via the Party rules).
So for example, the member is expected to pay their subscriptions in a timely manner and not act against the interests of the Party. The Association is expected to permit members to attend events and vote in candidate selections. Part of that includes notifying members of events and the things they are entitled to as they arise. It is therefore perfectly proper for an Association to hold and use contact details for members without their consent for the performance of the contractual relationship with members.
Legitimate interests is arguably an even easier lawful basis to satisfy for a membership organisation. It must however be balanced against the individual’s interests. “If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.”
For larger commercial organisations embarking on marketing campaigns of a huge email database, the legitimate interest argument may be harder to make out, but for local Conservative Associations it is an easy test to meet. It is plainly in the interest of a membership organisation to communicate with its members from time to time about events and activities that members may be interested to hear about. It is equally within the legitimate interests of an Association to contact members about membership renewals and payment of subscriptions.
Without these two functions a membership group cannot properly function. And there is no “balancing against the individual’s interests” concerns here either. It is plainly also in a member’s interests that they hear from the organisation they freely joined about what it is up to and what they can get involved in.
There are many other steps that organisations are required to take (like publishing a data protection policy) not discussed here, and this is article is certainly not a complete statement of the law. However, Conservative associations should not get hung up on the consent principle and start jettisoning contact details of members they have not heard from.
They should include the lawful basis of performance of a contract and legitimate interests (where appropriate) in their published data protection policies, and continue to tell members about forthcoming events, their political activity and send reminders about membership renewals. Yes GDPR is here – but don’t panic!