GDPR, consent and other processing bases for accountants

One of the key changes introduced by the European Union’s General Data Protection Regulation relates to the issue of consent.

To comply with GDPR rules, when dealing with data, a company must provide customers or clients with clear and easily understood requests for consent. These customers or clients must be able to easily give permission for their data to be used, and they must just as easily be able to withdraw that permission. A failure to provide for this leads to heavy penalties.

Accountants work with large quantities of data each day, and the role of the accountant as data controller (the one who is collecting the data) as it relates to GDPR is complex. But when accountants are deemed to be data controllers with respect to the client’s data, it’s important they understand their roles and responsibilities in communicating with clients.

A common misconception about GDPR is that it has made consent mandatory. This is simply not true. Consent is just one of six processing bases created under GDPR. While the new regulation does set a high standard for consent, it is often not required. If consent is difficult, a controller can always choose from the other five options. Under GDPR, data processing is lawful only if one of six processing bases applies. If none of the six apply, the activity will be “unlawful” or a violation of GDPR.

The first of these six processing bases is “consent.” An important thing to bear in mind with respect to consent is that it must be specific as to purpose. A checkbox that says, “I agree to the Privacy Policy” does not amount to consent under GDPR. The controller will have to specify if the data collected will be shared with any third party and the reason for it, and also must let the end user decide in what way they wish to be contacted (for example, by email, text message or telephone) and how frequently. The individuals must have a real choice and control, which means that consent should not be a precondition of a service. And finally, it would be unlawful to process personal data for any different purpose than for which client consent was originally given. More information on consent is available here.

Beyond consent, there are five other processing bases to consider, starting with “contract.” This applies when the controller needs to process someone’s personal data to fulfill contractual obligations or to do something the person requested before entering into a contract; for example, providing a quote or sending an invoice. Next is “legal obligation,” which applies when the controller needs to comply with an obligation under any applicable law; for example, providing information in response to valid requests in connection with an investigation by an authority. Then there are “vital interests.” This generally applies to matters of life and death, especially with respect to health data. Number four on the list is “public task,” applying to activities of public authorities. And finally, there are “legitimate interests,” which can be commercial interests such as direct marketing, individual interests or broader societal benefits.

Some of the important things to bear in mind with respect to legitimate interests are:

1. The processing activities should be in ways that people would normally expect.

2. The controller must document and keep a record of its decisions on legitimate interests in the form of a “Legitimate Interests Assessment” by (i) identifying a legitimate interest, (ii) showing that the processing is necessary (that the legitimate interest cannot be achieved in a less intrusive way), and (iii) balancing it against the data subject’s privacy expectations.

3. The controller must provide notice and an opt-out mechanism wherever possible.

4. Processing for a new purpose compatible with the original purpose is permitted, provided a new Legitimate Interests Assessment is performed.

More information on legitimate interests is available here.

When one compares the requirements for consent and for legitimate interests, the latter is a far better choice for most business purposes. Because service cannot be denied if consent is not provided, there is a chance that only a small percentage of the data subjects will actually provide consent and that the majority cannot be contacted. However, if “legitimate interests” is used as the processing basis, all the people can be contacted, provided you meet the other requirements, such as providing them an opt-out.

Consent does not offer flexibility because the controller can use the data for only those things for which the consent has been obtained, while in the case of legitimate interests, it is easier to include a new compatible purpose. And in spite of the controller having obtained specific granular consent, the data subject can withdraw consent at any time. The controller must provide an easy way for managing preferences and withdrawing consent. Switching from one processing basis to another is not permitted unless there is a compelling reason. Since consent offers more control to the data subject, a switch from legitimate interest to consent will be easier than a switch from consent to legitimate interests.

“Legitimate interests” is not the appropriate choice when the commercial benefit is outweighed by the potential impact on each individual concerned, in which case consent is the most appropriate basis. Although use of legitimate interest as the processing basis comes with the obligation to perform a careful and documented balancing act, it still makes for a really compelling choice.

A flag of the European Union flies outside the European Commission building in Brussels, Belgium.

A flag of the European Union flies outside the European Commission building in Brussels, Belgium.

Jasper Juinen/Bloomberg


Vijay Sundaram