If you lead any kind of online life you will have probably been inundated with emails imploring you to confirm and continue your various subscriptions. The General Data Protection Regulation (GDPR) has had the unexpected benefit of allowing all of us to finally dispose of some of those deeply irritating messages that clog up our inbox, and for that many of us are probably grateful.
The reason for this flurry of activity are the changes within the GDPR which require explicit data subject consent for some forms of data processing, including various types of messaging and marketing. Consent however is not the only lawful basis for processing data under the regulation.
That said, the changes to the regulations regarding consent are significant and they will persist long after this current flurry of activity has passed, in part because the GDPR changes the relationship between individuals and the organisations who hold and process their personal data.
How does the GDPR define consent?
The Information Commissioner’s Office (ICO) says the following about consent:
- The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
- Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third party controllers who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent to processing a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given and should avoid over-reliance on consent.
What does this mean for me?
This list alone should suggest that, as the ICO is at pains to point out, consent may not be the most appropriate basis for processing data and it is not necessarily an easy option.
We have highlighted a number of keywords and concepts within the ICO guidance on consent. Our aim in doing so is to emphasise the potential complexity of relying on consent as your basis for processing. Consent has its place but comes with potential disadvantages. It is critical that you take time to fully assess the potential benefits and drawbacks of being overly dependent on consent as your sole lawful basis.
Consent has to be informed and freely given, you have to be able to demonstrate that this is the case, document and record the basis for consent; when it was given, how it was given and when or if it will be renewed.
Potential drawbacks with consent
From a business perspective, consent can be restrictive – if you have relied upon consent and wish perform data processing beyond the limits of that consent you have to go back to your data subjects and seek further consent. Processing based on consent must be granular, one of those buzzwords which can mean different things to different people. In this case, it refers to specific consent for specific processing activities. The subject may have given consent to receive newsletters but will need to give further, specific consent to allow the data processor to pass their data onto a third party. The data processor may need to seek yet further consent from the data subject depending on what processing their third party is going to perform.
This further consent would need to give the subject clear information about what exactly the third party was intending to do with your data.
This may well be entirely appropriate and it may accord with the relationship that you aspire to have with your clients, however, it is an operating overhead that has to be planned for. Your subject retains the right to withdraw consent to some or all of the processing involved; being able to track consent at a very specific level will be necessary if you are going to be able to accede to a request to withdraw consent.
Is consent the only way to process data?
Not at all. There are a number of lawful bases for processing data under the GDPR (see below). Consent is not always appropriate, for instance, it is inappropriate where the subject’s right to withdraw consent for some or all data processing might result in a detriment to them.
If an individual relies on a service, and that service, in turn, relies on the consent of the individual does their consent remain freely given if they know that to withdraw consent will deprive them of the service?
We appreciate that these matters can appear unnecessarily torturous, but it is critical at an early stage to identify the lawful bases for processing data and to identify which of them apply to your organisation. Consent is just one of the lawful bases for data processing but like the fines available to the ICO, we seem to have heard more about it than some of the others.
What are the alternatives to consent under the GDPR?
The ICO offers this useful schematic to illustrate the various lawful bases for processing data. It is worth noting that an organisation can rely on more than on lawful basis for processing data depending on their requirements and those of their data subjects. It is valuable to include these here as a counterpoint to consent and to illustrate the potential complexity of lawful bases.
Consent and small businesses
One of the questions which arises every time consent is raised concerns small organisations who do nothing more than maintain contact details in order to communicate with their clients. In such cases consent may well be appropriate, as the reason for processing can be easily and clearly explained (to send you a quarterly newsletter), alternatively the legitimate interest lawful basis may also be appropriate.
If you decide that consent is the appropriate (or one of the appropriate) lawful bases for processing be aware that the requirement doesn’t magically start on the 25th of May 2018. This is why we have all been getting those emails, begging for permission to continue sending us emails. It is highly desirable that you can show where the personal data you currently hold comes from, but updating your consent with an explicit opt in option, allied to a clear statement of what and how the data will be used is almost certainly required, if only to keep you on the right side of the GDPR.
Consent is an important component of the GDPR, but it is not the only reason to process data. It potentially imposes a significant operational impact and may well not be the best basis for you and your data processing. We would encourage you to speak to us if you would like to discuss this or any other aspect of the GDPR. Onestop IT specialises in helping companies prepare for, and to maintain, GDPR compliance. Our expertise is ready and waiting for you.