Under the GDPR (General Data Protection Regulation), knowing how and when you need to seek consent can be tricky.
Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and you’d be advised to seek it only if none of the other grounds apply.
The other lawful grounds are:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
However, there will be times when consent is the most appropriate lawful basis, so you need to be aware of your obligations.
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
Opt in vs opt out
The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
Although the GDPR doesn’t specifically ban opt-out consent, the ICO (Information Commissioner’s Office) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.
Examples of lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as optional fields in a form); and
- Dropping a business card into a box.
This list isn’t exhaustive, but the point is that consent requests need the individual to provide a clear positive action.
Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.
The trouble with consent
Under the GDPR, individuals are given more control of their data, which means it can be dangerous and time-consuming to rely on consent.
For instance, if you are using consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you have to remove them from your records.
If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.
Additionally, as Rowenna Fielding writes, if a data subject withdraws their consent and you then realise you have a legal obligation to continue processing the data, you’ll find yourself in a catch-22 situation.
In other words, you’re either forced to breach privacy law by processing that data after consent has been withdrawn or you fail to meet your legal obligation to process that data.
Looking for more GDPR compliance help?
You can learn more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
The updated second edition of this essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements.
It covers everything you need to know about the Regulation, including:
- Data subjects’ rights;
- How to gain lawful consent;
- Managing consent withdrawal;
- Fulfilling DSARs (data subject access requests);
- How to complete DPIAs (data protection impact assessments); and
- Whether you need to appoint a DPO (data protection officer).
A version of this blog was originally published on 30 August 2017.