By now you should understand the basic principles of the GDPR and the reasoning behind its introduction. With further obligations to the Data Protection Act (DPA) on such matters as subject consent, anonymisation of data and profiling, to name a few, the GDPR will most likely require all companies to alter the way they process and store data.
Here we will focus on the operational impact of data consent. What changes will you need to make in practice? When consent is invalid and whether data previously obtained under the DPA still be used.
What is consent and why is it important?
Consent means offering individuals genuine choice and control over the lawful processing of their personal data. Whereas previously you were allowed to rely on implicit or ‘opt-out’ consent in some circumstances, the GDPR now requires a very clear and specific statement of what the subject is consenting to.
You may wonder why you have to go to such lengths to obtain these new permissions. The long and the short of it is that in today’s digital world potentially countless numbers of people have access to one’s personal information at any given time. The GDPR aims to limit this and protect individuals from exploitation and identity theft.
Separate consent should be sought for different types of processing, especially special category personal data (e.g. health data), profiling or overseas transfers. There are also specific new provisions on child consent and for scientific research purposes. We will cover these in a later article.
OK, I get it but can I still use my data obtained correctly under the DPA?
Yes and no. There is no obligation to automatically refresh all your existing consents taken under the DPA if they already meet the GDPR standard. However, if the method of consent doesn’t meet the new standard, you will need to seek new GDPR-compliant consent, ensuring that the continued processing is fair and has a lawful basis. If you are unable to do so you must stop the processing immediately.
In either circumstance, all consents must be properly documented and compliant mechanisms put in place for individuals to withdraw their consent easily.
There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
What changes do I need to make in practice?
First of all, you need to look at your current consents that you have obtained from individuals. You will need to decide whether that consent is the most appropriate basis for processing, whether it needs refreshing and if so, what form it would take and how you could most efficiently carry it out.
Once you have gone through this process, you should speak to your website/system provider about how you can add and manage this new form of consent online. It helps if you have already gone through the above thought process and know what you specifically need to obtain permission for. If you really are stuck, it is a good idea to have a GDPR consultant come in and walk you through that process.
No matter what, the mode of consent you use must be unambiguous and it has to involve a clear affirmative action.
Do I always need consent?
In short, no. If consent is too difficult, look at whether another lawful basis is more appropriate. You should always question what the true nature of your relationship is with an individual and the purpose of the data you process.
We recommend a holistic approach whilst considering your current policy on the obtaining of consent. Look at your policy on consent for all marketing calls and/or messages, website cookies, other online tracking methods, and if you install apps or other software on people’s devices.
When is consent inappropriate or invalid?
Consent can also be particularly problematic when it is arguable that the individual is not in a position to freely give consent. An example the ICO gives provides clarity on this.
A company asks its employees to consent to monitoring at work. However, as the employees rely on the company for their livelihood, they may feel compelled to consent, as they don’t want to risk their job or be perceived as difficult or having something to hide.
Your aim is to not be misleading. If you would still process their data on a different lawful basis then requesting consent is misleading and doesn’t allow the individual any true element of control.
Questions to ask yourself are:
- Am I in a position of power over the individual (e.g. their employer)?
- Does the individual depend on your services? Are they likely to fear adverse consequences?
Consent can be considered to be invalid if there are doubts over whether true consent has been given or the individual is unaware they have given it.
You are also required to consider the following:
- Whether there was a genuinely free choice in consent
- Whether an individual would have been penalised for refusing
- If it was a precondition of service
- Whether it was bundled up with other terms and conditions
- Was it vague
- Did you used pre-ticked boxes
- You didn’t specifically mention your organisation
- There is no mention of the right to withdrawal
- And/or your purposes and activities have evolved
Any of the circumstances above render the consent invalid.
Alternatives to consent
We have discussed ‘other lawful basis’, without much clarity on what they could be. You can process personal data without consent under the following circumstances:
- A contract with the individual: e.g. to supply goods or services they have requested, or to fulfill your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- Compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
- Vital interests: e.g. if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can.
- Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
Obtaining, recording and managing consent
We’ve already touched on how your request should be clear, concise and separate to your terms and conditions. You should also name your organisation, any third parties who will rely on the consent, why you want the data, what you will do with it and be explicit in their right to withdraw that consent at any time.
You must have an audit trail of how and when consent was given so that you can show that you are compliant if challenged. It should include, who consented, on what date and time, what they were told at the time, how they consented and whether they have withdrawn consent.
It is essential that you offer ongoing choice and control. Not only to be compliant but to allow a relationship of trust to foster between you and the individual.
It is good practice to offer a preference-management tool to allow people to easily access their consent and preferences online. If any operations or processes change which affect their data, you will need to refresh consent with them.
Here is a simple checklist you can use to begin the journey through the murky waters of the GDPR:
- Does it make sense to rely on consent for all of them or are there other legal justifications that can be relied upon on certain occasions?
- When requesting consent ensure that it is given freely, it’s specific & informed, unambiguous and explicit.
- Ensure that there is a method of recording the consent (date, time, method)
- Ensure that there is a process in place for an individual to withdraw consent and that it occurs promptly.
- Have a document/system in place enabling you to produce a record of all consents. Essentially to demonstrate your compliance.
Avoid making consent a precondition of a service.