While the GDPR retains the same core rules as the existing Data Protection Directive, there are numerous significant changes and ‘consent to process sensitive personal data’ is an area that’s attracted a lot of attention.
In summary:
- It will be much harder for you to obtain a valid consent under the GDPR
- Individuals can withdraw consent at any time
- Consent to process sensitive personal data or to transfer personal data outside the EU must be explicit
- Consent is not the only route available to data users - there are other justifications such as legitimate interest, where the user can prove the customer would have a genuine interest in the information they’re contacting them about
Consent has always been core to data protection law and seems a reasonable ask on the face of it, but obtaining an individual’s consent to process their personal information and establish the legal basis for using it, is set to get a lot more complicated by the deadline day of 25 May 2018.
A lack of clarity in the current laws has allowed different parties to approach consent in a variety of ways over the years, but revising the rules as part of GDPR has given European legislators an opportunity to close the loop and set out the limitations beyond doubt, to ensure a more consistent approach across the EU.
New legal definition of consent
The GPDR definition doesn’t appear to be a big departure from what we have currently:
‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’
However, ‘unambiguous’ and ‘by statement or by a clear affirmative action’ present new challenges and will increase the legal requirements for anyone who wants to make appropriate use of personal data.
Let’s go through each part of the definition to understand exactly what sits behind the wording.
Freely given
Current guidance on freely given consent takes the approach that there should be a genuine choice made on the part of the data subject when they provide their data, and that they should not have been misled, intimidated or negatively impacted if they withheld consent.
GDPR goes one step further to formalise this view and explains that consent is not considered to be freely given where:
- The subject has no genuine or free choice, or is unable to refuse or withdraw consent easily and without detriment.
- The conditions of a contract (including the provision of a service) are conditional on consenting to the processing of personal data that is not necessary for the performance of that contract.
- There’s a clear imbalance between the data subject and the controller. For example, where the controller is a public body, or between an employer and an employee.
- Separate consent cannot be given to different data processing operations, despite it being appropriate to the individual case.
Freely given: A genuine choice given and not misled, intimidated or negatively impacted if consent is withheld
Specific
This means consent must be obtained in a way that’s distinguishable from other matters, so it’s very clear what the subject is agreeing to. It must cover all processing activities carried out for the same purpose(s), and where processing has multiple purposes, it must be given for all of them.
So, very specific, with no room for grey areas.
Specific: Consent is clearly distinguished from all other matters
Informed
The requirement to be informed is about ensuring the data subject is treated fairly and any processing is performed in a transparent way. That means:
- They must at least be aware of the controller’s identity and the intended purpose of any data they’re processing
- Be informed of their right to withdraw consent at any time, prior to giving consent
Informed: Treated fairly and processing is transparent
Unambiguous
GPDR states that there must be an unambiguous indication of the data subject’s wishes. In practice, that means the way in which consent is collected should leave no room for doubt about the subject’s intentions in providing their agreement for personal data to be processed.
This brushes off ‘specific’ somewhat. For example, clear consent to receive a newsletter is one thing, but when data is collected in the hope of processing it for multiple purposes, it gets a lot harder to tick the unambiguous box.
Unambiguous: No room for doubt around the subject’s agreement to data processing
Statement or clear affirmation action
This is a new element of the definition for components of proof, meaning there needs to be positive indication of agreement and that it’s not based on things such as silence, use of pre-ticked boxes or inaction on the part of the subject: All of which have been used by businesses in the past. For example, you can no longer depend on a data subject not explicitly refusing consent.
Statement or clear affirmation: Positive indication, not silence or inactivity
In additional to all of this, there are several steps an organisation needs to take:
- Data controllers will also be expected to keep records so consent can be verified
- Requests made by way of written declaration must be Intelligible, include no unfair terms, be made available in an easily accessed format, and use clear and plain language
- Requests made using electronic means must be clear, concise and not prove disruptive to the service
- The subject must be able to withdraw their consent at any time and it should be as easy as it was to give consent
Consent versus Explicit Consent
It’s important to bear in mind that GDPR makes a distinction between consent and explicit consent. It’s reserved for processing sensitive categories of personal data or transferring data between countries, but without a separate definition it could be considered unclear.
What next?
Consent is just one option when it comes to processing personal data, but as the points above should help spell out, it’s not an easy one.
A more rigorous specification means more detailed and onerous obligations, so it makes sense to weigh up your options and work out whether consent is the best way to gain your basis for processing, particularly now that the right to withdraw consent with ease now forms part of the legislation.
Of course, in order to meet compliance standards for consent, and for GDPR in general, you will need to have the right IT support in place to enable the gathering of consent, its withdrawal, the secure and accurate processing of personal data, and comprehensive records regarding all of these actions.
Knowing what systems you have in place and how they can be upgraded to meet compliance standards is not easy, so it is worth considering seeking help from a certified GDPR consultant who can audit what you currently have, and what you need in the future, to comply.
Find out what steps you need to take to start on the road towards compliance and how pebble.it can help get you there by downloading our free GDPR-readiness checklist:
- SHARE
- Tweet