GDPR - The myth about consent
To ensure that any processing of personal data is lawful under the General Data Protection Regulation (“GDPR”), your organisation must identify a lawful basis on which it proposes to carry out such processing. It is a common misconception that consent is the only basis on which to justify the processing of personal data. In fact, there are six bases an organisation can rely on to justify processing; consent is only one of them.
In this briefing, we will consider the new requirements for consent and consider the other lawful bases on which processing personal data can be justified in compliance with the GDPR.
Historically the business community has relied on the use of a default opt-out or pre-selected tick boxes (which are often ignored) as a means of obtaining consent under the Data Protection Act 1998. The obligation to obtain consent under the GDPR is much more onerous and such methods will no longer be acceptable. Organisations will need to adopt other methods such as unticked opt-in boxes which require a tick or other opt-in methods.
Under the GDPR, consent must be freely given. When explaining consent, it will be a requirement to use clear and plain language. Consent also needs to be specific and informed. This means that organisations must include details of the controller (i.e. your organisation and any third parties relying on the consent), the purpose of the processing, the type of processing and the right to withdraw consent at any time.
It will not be enough to rely on blanket consent. Where appropriate, separate consent will be necessary for different types of processing.
Consent requests should also be kept separate from other terms and conditions.
Parents of guardians of children under the age of 13 will be required to give consent to information services.
It must also be just as easy to withdraw consent as it was to give it in the first place and people must be advised of this right.
Organisations must keep records to evidence consent so that they can show what people were told and when and how they consented.
Getting it wrong could mean a fine of up to 20 million euros or 4 % of your organisation’s worldwide annual turnover, whichever is higher.
If your organisation relies on consent at the moment, it will need to review this consent and the mechanisms for obtaining it to ensure it meets the standards of the GDPR. If it does not, your organisation will need to take steps to renew or refresh consent. It will also need to keep its consents under review if its purposes or activities change.
Although consent can legitimise the use of a special category data, restricted processing, automated decision making or overseas transfers, it is only one of the bases on which processing can be lawfully carried out in accordance with the GDPR.
Consider whether there is another lawful basis which is more appropriate to your organisation and if so, advise individuals what this basis is from the start.
Consent will be necessary for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices. However, if your organisation is in a position of power such as a public authority or an employer, consent may not be appropriate as consent will not be regarded as being given freely. Your organisation should therefore consider another basis for processing.
What are the alternatives to consent?
• Necessary for performing a contract with an individual or to take steps at the individual’s request prior to entering into the contract
For example, if your organisation has entered into a contract with a customer to supply goods and/or services. This also includes steps taken at the individual’s request before entering into a contract.
• Necessary for compliance with a legal obligation to which the data controller is subject
For example, the law requires your organisation to process the data for a particular purpose.
• Necessary to protect the vital interests of a data subject or another person
For example, the processing is necessary to protect the life of the data subject or someone else.
• Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
For example, an organisation needs to process personal data to carry out its official functions or a task in the public interest such as a public body.
• Necessary for the purposes of legitimate interests pursued by the data controller or third party
If your organisation is in the private sector, data can be processed if your organisation has a genuine and legitimate reason for processing personal data unless this is outweighed by the harm to the individual’s rights and interests.
Conditions for processing a special category of personal data
The above considers the lawful bases on which processing personal data can be justified in compliance with the GDPR. There are different bases which an organisation must consider when it proposes to carry out the processing of sensitive personal data.
Under the GDPR sensitive personal data is referred to as special categories of data and includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Obtaining explicit consent of the data subject is one way to justify processing a special category of personal data. When obtaining express consent, there will be a requirement to include an express statement of consent which is separate from any other consents specifying the nature of the special category data, the details of the automated decision and its effects or the details of the data to be transferred and the risks of the transfer.
There are other lawful bases set out in the GDPR that can be satisfied where the processing relates to a special category of personal data which are more limited and specific and are beyond the scope of this briefing note.
Whatever the reasons for processing personal data or a special category of personal data (as the case may be), this will need to be documented so that your organisation can demonstrate to the Information Commissioner’s Office which lawful basis it is relying on under the GDPR.
The new Data Protection Bill was published in September 2017 and is currently making its way through Parliament. It is too early to know what form the final Data Protection Bill will take and it may differ from the GDPR in some respects. Brachers will continue to monitor the situation and highlight any points where differences are likely to have a material effect.
How can we help?
For further information and advice on the GDPR please contact our specialists:
GDPR - Data subjects’ rights Read more
GDPR - Transferring data overseas Read more
GDPR - do you know what’s coming? Read more
Frequently asked questions on GDPR Read more
GDPR – is your business ready? Read more
Making your contracts Brexit-proof Read more