Technology has significantly changed the way we communicate and how we do business everyday. If an organisation is processing personal data about an individual, the organisation must have a lawful ground to do so. The General Data Protection Regulations 2016 (GDPR) sets out new rights of individuals and obligations on organisations when processing any personal data. This includes that all processing must be fair and lawful. There are six available lawful bases for processing, and it will depend on the intended use of the data and the relationship with the individual (known as the data subject) when considering which is the most appropriate. One of the possible grounds for processing is based on consent.  

Should we rely on consent?

As we are often asked what is meant by “consent” and when an organisation can rely on an individual’s consent (or rather, when it can’t be relied on), we thought that it may be time for a recap (or introduction if your organisation is new to processing personal information). In summary, for consent to be valid, the individual must have given their clear express consent to the organisation for their personal data to be processed for a specific purpose.  Under the previous legislation (the Data Protection Act 1998), consent was the most commonly relied on basis for processing. However, under the GDPR, there has been a shift change in the consent mechanism, and it may be that consent is not the most appropriate basis for future processing.   Organisations should always look at whether another legal ground is more suitable. Other grounds include fulfilling a contractual obligation (for example delivering goods or services ordered by the individual), or rather than relying on consent to process employment-related information, a change of legal basis to instead of relying on the employees’ contractual terms is more likely to be compliant with the GDPR.  If an organisation decides that consent is the most appropriate basis for processing (for example to send marketing communications) then this decision must be recorded, and the following checklist should be taken into account:

• Don’t use pre-ticked boxes, opt-out boxes or another default setting when obtaining consent;
• Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing (for example separate consent to receive information by email than by SMS message);
• Make sure that the request for consent is clear and unambiguous;
• Keep the request for consent prominent concise and easy to understand;
• Keep the consent opt in separate from other terms and conditions (it must be freely given);
• Ensure that the individual can refuse consent without receiving a reduced service (for example still access some areas of a website without a login);
• Keep records to evidence consent – who consented, when, how, and what they were told.
• Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.

What should we tell individuals?

When an organisation is looking to get consent to carry out some sort of processing activity (such as adding to a marketing database), the individual must be given clear information about what they are consenting to.  In particular, the following information should be given at or before the information is collected (for example in a published Privacy Policy or consent statement): 

• • the name of your organisation;
  • the name of any third-party controllers who will rely on the consent;
  • what information is being collected
  • why you want the information;
  • what you will do with it; and
  • that individuals can withdraw consent at any time.

Keep under review

Although the GDPR does not set a specific time limit for consent, ICO describes consent as “likely to degrade over time”.  If you are relying on the consent you should keep consents under review and periodically look at whether the consent is likely to still be valid.  This will depend on the scope of the original consent and the individual’s expectation at the time consent was given.  You may need to request new consent from time to time to be able to justify continued reliance. If someone withdraws consent, you need to stop processing personal data if you have relied on consent as soon as possible in the circumstances. This will not affect the lawfulness of your processing up to that point.  If it is “necessary” to continue to process an individual’s personal data, you should consider whether consent was the most appropriate lawful basis in the first place.  

Recommendations

To help with GDPR compliance, and to help with achieving higher levels of trust from customers, we suggest that organisations;

• check that consent is the most appropriate ground legal for processing
• check that consent can be given (for example is the individual vulnerable or a child?)
• is consent freely given (rather than tied in with agreement to wider terms and conditions)
• make sure that you have clearly told individuals what you will be doing with their data (and not use it for any other purpose)
• make sure your Privacy Notice and any wording around the consent is clear about processing based on consent
• make sure that you have allowed individuals to choose how they want to be contacted (SMS, email, etc)
• make sure that unsubscribing (or withdrawing consent) is straightforward
• regularly review the consent gathering process (and how long you rely on an individuals’ consent)
• keep records 

LawBite can help

Our lawyers provide expert GDPR legal advice to your business to ensure that your documents, including your websites and contacts, are appropriate and robust. We also offer to review your terms and conditions and recommend updates and improvements to make them more effective and better suited to your business. For more information, or for advice on the use of Cookies and what steps your business should take to comply with the regime, including drafting or amending your Privacy Notice or compliance documents, please get in touch with us at [email protected] or contact Rachel Robinson at LawBite. This note is a summary of the GDPR and does not constitute legal advice. The author of this Blog article, Rachel Robinson. Rachel Robinson has over 20 years’ experience of providing company commercial law advice, including drafting contracts, data protection and competition law to organisations of all sizes, ranging from FTSE100 companies to owner managed small business.