Technology has significantly changed the way we communicate and how we do business everyday. If an organisation is processing personal data about an individual, the organisation must have a lawful ground to do so. The General Data Protection Regulations 2016 (GDPR) sets out new rights of individuals and obligations on organisations when processing any personal data. This includes that all processing must be fair and lawful. There are six available lawful bases for processing, and it will depend on the intended use of the data and the relationship with the individual (known as the data subject) when considering which is the most appropriate. One of the possible grounds for processing is based on consent.
Should we rely on consent?
As we are often asked what is meant by “consent” and when an organisation can rely on an individual’s consent (or rather, when it can’t be relied on), we thought that it may be time for a recap (or introduction if your organisation is new to processing personal information). In summary, for consent to be valid, the individual must have given their clear express consent to the organisation for their personal data to be processed for a specific purpose. Under the previous legislation (the Data Protection Act 1998), consent was the most commonly relied on basis for processing. However, under the GDPR, there has been a shift change in the consent mechanism, and it may be that consent is not the most appropriate basis for future processing. Organisations should always look at whether another legal ground is more suitable. Other grounds include fulfilling a contractual obligation (for example delivering goods or services ordered by the individual), or rather than relying on consent to process employment-related information, a change of legal basis to instead of relying on the employees’ contractual terms is more likely to be compliant with the GDPR. If an organisation decides that consent is the most appropriate basis for processing (for example to send marketing communications) then this decision must be recorded, and the following checklist should be taken into account:
Don’t use pre-ticked boxes, opt-out boxes or another default setting when obtaining consent;
Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing (for example separate consent to receive information by email than by SMS message);
Make sure that the request for consent is clear and unambiguous;
Keep the request for consent prominent concise and easy to understand;
Keep the consent opt in separate from other terms and conditions (it must be freely given);
Ensure that the individual can refuse consent without receiving a reduced service (for example still access some areas of a website without a login);
Keep records to evidence consent – who consented, when, how, and what they were told.
Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
What should we tell individuals?
the name of your organisation;
the name of any third-party controllers who will rely on the consent;
what information is being collected
why you want the information;
what you will do with it; and
that individuals can withdraw consent at any time.
Keep under review
Although the GDPR does not set a specific time limit for consent, ICO describes consent as “likely to degrade over time”. If you are relying on the consent you should keep consents under review and periodically look at whether the consent is likely to still be valid. This will depend on the scope of the original consent and the individual’s expectation at the time consent was given. You may need to request new consent from time to time to be able to justify continued reliance. If someone withdraws consent, you need to stop processing personal data if you have relied on consent as soon as possible in the circumstances. This will not affect the lawfulness of your processing up to that point. If it is “necessary” to continue to process an individual’s personal data, you should consider whether consent was the most appropriate lawful basis in the first place.
To help with GDPR compliance, and to help with achieving higher levels of trust from customers, we suggest that organisations;
check that consent is the most appropriate ground legal for processing
check that consent can be given (for example is the individual vulnerable or a child?)
is consent freely given (rather than tied in with agreement to wider terms and conditions)
make sure that you have clearly told individuals what you will be doing with their data (and not use it for any other purpose)
make sure your Privacy Notice and any wording around the consent is clear about processing based on consent
make sure that you have allowed individuals to choose how they want to be contacted (SMS, email, etc)
make sure that unsubscribing (or withdrawing consent) is straightforward
regularly review the consent gathering process (and how long you rely on an individuals’ consent)
LawBite can help
The supervisory authority for GDPR compliance, the Information Commissioner's Office (ICO), has recently published its decision to fine British Air...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.