Under the EU General Data Protection Regulation (GDPR), knowing how and when you need to seek consent can be tricky. Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and you’d be advised to seek it only if none of the other grounds apply.
The other lawful grounds are:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
However, there will be times when consent is the most appropriate lawful basis, so you need to be aware of your obligations.
Opt in vs opt out
The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.
Although the GDPR doesn’t specifically ban opt-out consent, the Information Commissioner’s Office (ICO) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.
Examples of lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as optional fields in a form); and
- Dropping a business card into a box.
This list isn’t exhaustive, but the point is that consent requests need the individual to provide a clear positive action. Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.
The trouble with consent
Under the GDPR, individuals are given more control of their data, which means it can be dangerous and time-consuming to rely on consent.
For instance, if you are using consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or who doesn’t reply must be removed from your records.
Individuals are also free to withdraw their consent at any time, which again means you have to remove them from your records. If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.
Additionally, as Rowenna Fielding writes on her blog, if a data subject withdraws their consent and you then realise you have a legal obligation to continue processing the data, you’ll find yourself in a catch-22 situation: either you breach privacy law by processing that data after consent has been withdrawn or you fail to meet your legal obligation to process that data.
Get ready for the GDPR
Our EU General Data Protection Regulation (GDPR) Documentation Toolkit can accelerate your GDPR compliance project. Designed and developed by expert GDPR practitioners, it provides all the templates, worksheets and policies needed to comply with the documented aspects of the Regulation.
With this toolkit, you can get professional guidance on GDPR compliance obligations and personal information best practice, make sure you have adequately identified risks to personal data and integrate GDPR documentation with your ISO 27001 documentation.