SeedLegals Partner Program
We’re proud to launch the SeedLegals Partner Program! With the launch of this new initiative we will now be able t...
(if you’re currently building a legal justification table on the platform and you have been taken to this article by the on-platform link, please scroll down to the “How do I build my own legal justification table on the SeedLegals platform?” section below.)
There are a variety of obligations created under the GDPR that must be followed. You have to outline the procedures you put in place to protect Personal Data, where you send any Personal Data (if you send it to third parties), how individuals can request deletion of their personal data, and so on.
However, without doubt, the primary obligation under the GDPR and the whole spirit of the regime is to explain, to anyone you collect “Personal Data” from:
(“Personal Data” is any information about a person from which that person can be identified E.g. their name, address, gender, IP address etc.).
It’s all about empowering the individual so that they know what data is being taken from them and giving them some control over use of that data.
What many people do not realise is that this definition means that you owe obligations under the GDPR not only to your customers, but also to your employees.
Because of this need, SeedLegals has created two new privacy products to allow companies to comply with their GDPR obligations:
What we noticed when we were doing our research on competitors‘ privacy/data protection/GDPR solutions is that many were simply not fit-for-purpose.
There were plenty of off-the-shelf templated privacy policies, that made a generic reference to the GDPR and to the legal justifications within the GDPR, along with some standard wording about putting in place data protection systems and how people can opt-out of marketing emails.
But, generic references to “consent” or “legitimate interest” and standard wording about security, in our opinion, does nothing to actually explain to individuals what is being done with their data, which was the driver behind the introduction of the GDPR. So, in our opinion those competing products do not even achieve compliance with the GDPR, let alone reflect best practice.
What we have included in our privacy policies to ensure proper compliance is something we call a “legal justification table”. This allows you to clearly set out when Personal Data is collected, what type, why it is being collected and why you believe you are legally entitled to collect it.
We decided the easiest way to show this information is through a table with three columns: A left-hand column summarising the activity you or your customer undertakes that gives rise to collection of Personal Data, a middle column identifying what type of Personal Data is collected e.g. profile/identity/financial, and a right-hand column explaining what legal justification is relied on to collect the Personal Data, with a space to add narrative to explain why you need to collect that particular Personal Data.
You then need to pair each type of Personal Data you collect with one of the legal justifications permitted under the GDPR. Those justifications are as follows:
(Two things to note: 1) if you do not think any of the above justifications apply to the type of Personal Data you have in mind, you should consider whether you are in fact entitled to collect the particular kind of Personal Data; and 2) If you collect any “special categories of data” you will need to be able to show that you can rely on one of the “enhanced legal justifications” if you are unsure about those enhanced justifications please contact us.)
When you head back to the platform, you will be presented with the request “Please list an activity or time when you collect your employee’s/customer’s Personal Data”. Here, you need to think of your first activity, such as “when a user signs up to our service” or “when an employee turns up for his first day” (as appropriate). Once answered, you will then be asked to tick from the list of the types of data your company collects (that you previously identified from a bigger list) which of those categories are collected under that activity.
For example, when a user signs up to your service, you will probably collect (at least) “Profile”, “Contact”, “Marketing and Communications” and “Technical” data and so you would select those types from the list. Once you have chosen which categories of data apply to the activity, lastly, you need to choose what legal justification you are relying on to collect that data. You can choose more than one justification. E.g. You may rely on “consent” for Profile and Contact data, but may rely on “legitimate interest” to collect Technical data.
You are finally presented with a freeform textbox to provide a short narrative about why you believe you can rely on the justification(s) you have chosen and/or to explain which justification applies to which type of data.
We have not only made GDPR compliance possible (given the low quality of the rest of the GDPR compliance market!), but also made it easy for our customers to comply with GDPR.
The platform also allows you to update your privacy policies at any time. So, if your company pivots and you start undertaking more or different activities which give rise to collection of Personal Data, you can update your policy in a matter of seconds.