As you probably are well aware by now, the European General Data Protection Regulation (GDPR) goes into effect next month on May 25. Much is being written about it, and if you do any sales and/or marketing, you’re probably getting all kinds of emails warning you about the need to be compliant with the new regulations regarding your collection and processing of personal data.
GDPR makes major changes to all of Europe’s privacy laws and has serious implications for companies both inside and outside the EU. Regardless of where your company is located, if you collect and/or process the personal data of any individual living and working within the EU you will be subject to the new regulation.
Attracting much attention is the GDPR concept, the “right to be forgotten” (RTBF). Article 17 of the GDPR provides data subjects with the right to request erasure of personal data relating to them. In other words, controllers (and their data processors) are required to erase personal data “where the data subject objects to legitimate interest-based processing and the controller does not have an overriding legitimate interest.” The exception is that, based on the legitimate interests of the controller (or a third party) and notwithstanding the data subject’s objection, the controller can demonstrate compelling legitimate grounds that override the data subject’s objection. 
This concept is of particular interest and confusion to organizations who rely on current and potential customer data for their sales and marketing efforts. In many circumstances it is difficult and or prohibitively expensive to actually obtain consent that meets the criteria of clear, affirmative, freely given, etc. Therefore, it may be tempting for organizations to attempt to justify their processing of personal data as a “legitimate interest,” thereby doing an end run around the consent requirement.
While this likely will not fly for advertising or other direct marketing, a strong case can be made for the license compliance programs of software and intellectual property (IP) developers. GDPR contains a clear caveat that even when data processing is necessary to the controller, the legitimate interests must be weighed against “the interests or fundamental rights and freedoms of the data subject.” If controllers want to use legitimate interests as a justification for not obtaining consent, they will have to prove their legitimate interests are more compelling than the implied general interests of data subjects. 
In the case of software and IP developers who control the legitimate use of their products via license compliance programs, there may be a compelling reason to collect and process the data of those who download the IP, agree to the licensing terms, and use the product. License compliance programs may monitor usage to ensure that the IP is being used legitimately and under the license agreement terms. Unauthorized use and use of counterfeit licenses is illegal and any data collected on illegal use may be important for protecting the rights of the IP owner, as well as for protecting the rights of legitimate licensees from unfair competition in the marketplace. The legitimate interests of the software and IP companies (data controller) could likely in this instance override the rights of individuals who are using the products illegally. Moreover, the unauthorized users would arguably not have the RTBF in cases where the personal data may be legal evidence in a copyright infringement or breach of contract case.
For more information on how SmartFlow license compliance management software can help users comply with GDPR personal data collection issues, visit https://www.smartflowcompliance.com/press-releases/smartflow-enterprise-2017-configurable-data-collection-functionality-enables-compliance-with-gdpr.