Consent in data protection is not a new concept, with the current Data Protection Act 1998 (DPA) citing consent as one of the conditions for processing. However, the Act itself does not directly define ‘consent’ and offers little guidance on the how and what of obtaining it.
The EU Data Protection Directive (95/46/EC) adopted in 1995 and giving rise to the UK’s DPA however, does defines consent, stating it is ‘Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’.
Utilising this defintion, organisations such as the ICO have been able to provide slightly clearer guidance for UK entities over the past 20 years, for using consent as a condition for processing, advising that individuals must signify their agreement to personal data being obtained or processed and this should involve some form of active communication between the parties.
Consent Under the GDPR
With this in mind, complying with the new consent requirements under the General Data Protection Regulation (GDPR), does not necessarily mean starting from scratch or an obligation to re-paper all existing consents.
The GDPR comes with a similar consent definition to that of the old DP Directive; but with a couple of important additions; ‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
On top of this more specific definition, the GDPR also references consent in more detail in other Articles and Recitals, providing greater clarity on the conditions for consent, as well as guidance for obtaining it, record keeping and withdrawing consent.
So, if you already have consent mechanisms in place, what should you be looking out for when reviewing them for GDPR compliance?
Below are some of the key points to consent under the GDPR: –
- The GDPR sets a higher standard for consent and as such, entities must review existing and new consent mechanisms and ensure that they comply with all aspects of the GDPR
- In addition to consent being freely given, specific and informed, it must also be an unambiguous indication of the individual’s wishes
- Consent should be given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data
- Consent mechanisms should be upfront, clear, granular (in fine detail) and easy to use and understand
- Pre-ticked, opt-in boxes must not be used
- Consent should be freely given (employers and public authorities may find this difficult and may want to look for an alternative lawful basis for processing)
- Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts), the consent must be separate from the other matters and must not be a precondition of any service (unless necessary for that service)
- Along with the name of the company obtaining the data, any third party who will use or rely on the consent must also be named
- Consent must be verifiable and firms should be able to demonstrate consent
- Keeping records of consent is essential and firms should be able to evidence at a minimum: –
-that the individual has consented to the use and processing of their personal data
-that the individual has been advised of the company name and any third party using the data
-what the individual was told at the time of consent
-how and when consent was obtained
- Withdrawing consent must be as easy, clear and straightforward as giving it and should be available at all times
- Consent withdrawal requests should be processed immediately and without detriment
- Where services are offered to children, age-verification and parental-consent measures must be in place to obtain consent
- Controls and processes should be developed and implemented to refresh consent, especially those relating to parental consents
- For special category data, consent must be explicit (stated clearly and in detail, leaving no room for confusion or doubt) with the processing purpose(s) being specified
- Consent can legitimise restricted processing and overseas transfers, with explicit consent legitimising automated decision-making
Reviewing & Revising Consent Mechanisms
Recital 171 of the GDPR states that ‘Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation [GDPR]’.
It will be essential for any entity relying on previous consent mechanisms, to review and where applicable, revise those mechanisms to ensure that they comply with the new provisions and requirements set out by the Regulation. If consent was obtained in a manner compliant with the new requirements, they will still be valid after the GDPR enforcement date on 25th May 2018.
However, where all or any part of the consent process is not deemed to have complied with the new Regulation, it will be necessary to obtain consent again from the data subject, utilising mechanisms and controls that ensure GDPR compliance. Keeping audit and review records is an essential business practice and one that can help firms to keep track of and evidence their consent revisions.
Alternatives to Consent
With such emphasis put on the new consent provisions in the GDPR, it is important to remember that consent is only one lawful basis for processing. It is always important to identify which lawful basis you are using and which is the most appropriate.
Processing is only considered lawful where one or more of the below applies: –
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
The Regulation also advises that Member States can introduce more specific provisions for points (3) and (5). If you are obtaining and processing special category data, you will also need to refer to the specific conditions in Article 9(2) to see which applies.
When Consent is Not Appropriate
Consent is not always the easiest or most appropriate lawful basis for processing. It is essential that you review all of the conditions first to ascertain which your processing activities fall under.
If you are considering citing consent as a condition, you should ensure that none of the below are a factor: –
- You ask for consent, but would still process it even if it was not given (or withdrawn). If you would still process the data under an alternative lawful basis regardless of consent, it is not the correct lawful basis to be using
- Where you ask for consent to process personal data as a precondition of a service you are offering, it is not given as an option
- There is an imbalance in the relationship, i.e. you are in a position of power over the individual (public authority or an employer)
Catherine Roberts, Founder & Owner, Know Your Compliance
The Regulation itself is a great place to start for obtaining information about the GDPR; but below are some other sites and link for useful information.
There is also a wealth of useful information on the ICO website
As well as reviewing the ICO GDPR Consent Guidance document –
The Article 29 Working Party (WP29) have opinions & guidance sheets for GDPR clarity
Know Your Compliance’s GDPR Section provides an overview of our GDPR documents
You can also download and print our free GDPR Infographs