Should we rely on consent?As we are often asked what is meant by “consent” and when an organisation can rely on an individual’s consent (or rather, when it can’t be relied on), we thought that it may be time for a recap (or introduction if your organisation is new to processing personal information). In summary, for consent to be valid, the individual must have given their clear express consent to the organisation for their personal data to be processed for a specific purpose. Under the previous legislation (the Data Protection Act 1998), consent was the most commonly relied on basis for processing. However, under the GDPR, there has been a shift change in the consent mechanism, and it may be that consent is not the most appropriate basis for future processing. Organisations should always look at whether another legal ground is more suitable. Other grounds include fulfilling a contractual obligation (for example delivering goods or services ordered by the individual), or rather than relying on consent to process employment-related information, a change of legal basis to instead of relying on the employees’ contractual terms is more likely to be compliant with the GDPR. If an organisation decides that consent is the most appropriate basis for processing (for example to send marketing communications) then this decision must be recorded, and the following checklist should be taken into account:
- Don’t use pre-ticked boxes, opt-out boxes or another default setting when obtaining consent;
- Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing (for example separate consent to receive information by email than by SMS message);
- Make sure that the request for consent is clear and unambiguous;
- Keep the request for consent prominent concise and easy to understand;
- Keep the consent opt in separate from other terms and conditions (it must be freely given);
- Ensure that the individual can refuse consent without receiving a reduced service (for example still access some areas of a website without a login);
- Keep records to evidence consent – who consented, when, how, and what they were told.
- Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
- the name of your organisation;
- the name of any third-party controllers who will rely on the consent;
- what information is being collected
- why you want the information;
- what you will do with it; and
- that individuals can withdraw consent at any time.
Keep under reviewAlthough the GDPR does not set a specific time limit for consent, ICO describes consent as “likely to degrade over time”. If you are relying on the consent you should keep consents under review and periodically look at whether the consent is likely to still be valid. This will depend on the scope of the original consent and the individual’s expectation at the time consent was given. You may need to request new consent from time to time to be able to justify continued reliance. If someone withdraws consent, you need to stop processing personal data if you have relied on consent as soon as possible in the circumstances. This will not affect the lawfulness of your processing up to that point. If it is “necessary” to continue to process an individual’s personal data, you should consider whether consent was the most appropriate lawful basis in the first place.
RecommendationsTo help with GDPR compliance, and to help with achieving higher levels of trust from customers, we suggest that organisations;
- check that consent is the most appropriate ground legal for processing
- check that consent can be given (for example is the individual vulnerable or a child?)
- is consent freely given (rather than tied in with agreement to wider terms and conditions)
- make sure that you have clearly told individuals what you will be doing with their data (and not use it for any other purpose)
- make sure your Privacy Notice and any wording around the consent is clear about processing based on consent
- make sure that you have allowed individuals to choose how they want to be contacted (SMS, email, etc)
- make sure that unsubscribing (or withdrawing consent) is straightforward
- regularly review the consent gathering process (and how long you rely on an individuals’ consent)
- keep records
Read our latest blog posts on GDPR, featuring all the latest legal news, analysis and opinion from our expert lawyers.
- By Lawbite Team
- March 26, 2020
Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed wi...
- By Lawbite Team
- March 19, 2020
Coronavirus and its spread across borders is a concern for employers and employees. While employers will be concerned to ensure their business’ con...
- By Lawbite Team
- January 30, 2020
The ICO has published a statement on GDPR compliance after 31 January 2020 (the day that the UK leaves the European Union). There are no big surp...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.