Consent is used by many organisations as the default option when it comes to the legal basis for processing personal data. Using consent can often provide certainty for organisations that their legal basis for processing the personal data of the individual is sound.
However, consent under the GDPR is changing, and these changes are likely to mean that consent will be less straightforward to rely upon and may not be the most appropriate legal basis for processing personal data. Controllers will need to review existing mechanisms for obtaining consent to ensure that they are valid and appropriate under the GDPR.
The first key change is that the GDPR is raising the bar to a higher standard for consent. Consent under the GDPR requires a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clarifies therefore that pre-ticked opt-in boxes are not valid consent. The GDPR also makes it explicit that consent must be as easy for people to withdraw as it was to give. If your organisation relies upon consent to process personal data, you will need to review the consent you already have to ensure it meets the standards of the GDPR, if it does not then fresh consent will need to be obtained (that is assuming consent is the appropriate legal basis for processing the personal data).
The second key change is that consent may no longer be the appropriate legal basis for processing data. The ICO has issued draft guidance on the use of consent which states that consent will not always be the easiest or the most appropriate legal basis for processing. Whilst the guidance is still in draft form (pending the release of European Guidance on the use of consent due by the end of the year) the ICO has stated that it is unlikely that the guidance will change significantly in its final form. Two of the key points for controllers to note from this guidance are:
- Consent should not be used where there is an imbalance in the relationship between the controller and the data subject. The specific examples given in the guidance are where controllers are public authorities dealing with members of the public and employers dealing with employees. This is because individuals may feel compelled to provide consent for their personal data to be processed for fear or not being provided with a service or for fear of losing their job.
- Controllers should always choose the lawful basis that most closely reflects the true nature of the relationship with the individual and the purpose of the processing. This will not necessarily be consent. There are five other legal bases for processing personal data which may be more appropriate, for example, the performance of a contract or the legitimate interests of the controller. Consent should only be used where no other lawful basis applies. The key issue for your organisation in determining whether consent is the appropriate legal basis is to determine whether you would still process the personal data on a different lawful basis if consent were refused or withdrawn. If so, then consent is not the appropriate legal basis for processing the personal data.
It is clear therefore that you will need to identify the most appropriate lawful basis for your processing activity from the outset, and only obtain consent from the data subject where there is no other more appropriate legal basis.
If you’d like the Information Law Team to review your current consent mechanisms, provide you with amended consent wording, or to talk to you about the appropriate legal bases for processing personal data just contact Lowri Phillips.
If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide.
Geldards are delighted to announce that to help organisations to comply with the GDPR we will shortly be launching our online GDPR e-learning solution. A cost effective and easy access learning option, the course complements the expert legal advice we provide, with a training resource specifically designed to deliver an understanding and insight into GDPR for your entire workforce.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>