The EU General Data Protection Regulation (GDPR) brings with it new requirements for the capture and use of consent to process personal data, along with new puzzles and misconceptions about the requirement for its use for data controllers.
Whilst we await the publication of new guidance from the Information Commissioner’s Office on consent, we’re taking a look at the options around consent and the legality of processing data.
There are four key requirements to consider:
Consent information must be clearly distinguishable from other matters
This means organisations cannot hide consent capture in amongst lengthy terms and conditions, particularly not as a non-unique section. Data subjects must be able to identify that a particular document or section of information is asking for their consent to process their data.
Consent capture must be in an intelligible and easily accessible form
Data subjects need to understand what they’re signing up to and be able to locate the information about how their data will be used. It is unlikely to be considered acceptable to require individuals to wade through mountains of other unrelated documentation or click through multiple links to find the information they require to decide whether or not to consent.
Clear and plain language must be used
Avoid complex legalese, acronyms and abbreviations which individuals may not understand. Keep it simple. Choices should be given as “yes” or “no” options rather than conditional such as “yes but only if” or “no except in the circumstances of”.
Prior to giving consent the data subject must be informed that they can withdraw their consent at any time
This won’t make any processing carried out until such time unlawful, provided it was carried out in accordance with the Regulation.
Why gain consent?
GDPR is designed to give data subjects as much control as possible over their data and focuses on the use of consent.
- Correctly captured consent is a clear form of authorisation to use personal data.
- Provided your consent processes meet the requirements set down by the Regulation and a data subject hasn’t withdrawn their consent to processing, it is arguably the hardest legal basis to dispute.
- Further data subjects gain a sense of openness and honesty about your services when you gain their consent.
Why not consent?
There are a few important things to bear in mind when considering consent as your basis for processing.
- It’s easy for data subjects to withdraw consent. This could significantly interrupt your business processes.
- Before you capture consent, consider whether you would continue processing personal data on another legal basis if that consent were withdrawn. If you would it isn’t fair to capture and rely on consent in the first place.
- Bear in mind that if you want to widen the purposes for which you utilise the data it may not be captured by your initial consent document. It’s worth considering the other options available to you first.
For day-to-day processing, Article 6 of the Regulation sets out five other possible bases which can be used to lawfully process personal data. There’s a key theme running through them in that the processing must be necessary – and you must be able to justify why you need to carry out such processing to achieve your aim.
Consider each of the following:
If a data subject has signed up to a contract or asked to sign up to a contract with your company, you can process their relevant personal data without seeking their further consent.
Some organisations are subject to legal obligations which require them to process certain pieces of personal data. Where those obligations apply to your company you should have a legal basis for processing the respective personal data. Ensure you are fully aware of what you are obliged to process to ensure you process the required data on this basis.
Where your processing activity is carried out in the wider public interest then you can use this basis, but be careful as it is likely that there will need to be a strong public interest to override the requirements for another legal basis.
Necessary to protect vital interests of the data subject or another natural person
This is unlikely to apply for most non-healthcare related organisations but is worth bearing in mind in the case of a medical emergency or if you are indeed a healthcare provider.
Legitimate interests of the Data Controller
Processing on the basis of the legitimate interests of the data controller is likely to remain a favourite legal basis. Be careful, it cannot be used by public authorities and it is not a free-for-all. Despite its potential wide application, the bar for acceptability is likely to be set quite high. The ICO is reportedly planning on producing guidance on the use of this basis but until then remember, if you can achieve the purpose by some other means then the processing won’t be considered necessary (and this legal basis won’t apply).
The inability to use legitimate interests also applies if you only need to carry out processing because of the way you’ve decided to operate your business. If your aim could have been achieved using an alternate business model which would not have involved processing personal data then there is no legitimate interest in your doing so.
Special Category Personal Data
Article 9 requires that selected categories of personal data are not processed unless one of the exceptions applies.
Explicit consent is included therein but a large number of other bases for processing are also available. If you intend to carry out processing of such categories of data it’s essential to thoroughly investigate the legal bases before commencing processing. Despite their numbers, they are very specific and the purposes considerably limited.
Whether you choose to process personal data on the basis of consent alone, in conjunction with other legal bases or simply stick to alternatives, it’s important to remember that you must be able to justify all data processing.
Ascentor’s other GDPR resources
Preparing for the GDPR? Ascentor can steer you through the GDPR maze. This is your action plan, produced in one week. It’s a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
We look at what the role entails, and the skill sets required, and cut through some of the confusion we’ve noticed. For example, what exactly is a DPO and does every organisation actually need to appoint one?
Although GDPR is a huge data management undertaking, compliance needn’t be an insurmountable challenge. In this article, we’ve summarised the steps an organisation needs to consider to ensure it does comply.
At a glance, GDPR can be broken down into four key areas – we look at each and what they could mean for your organisation.
A Slideshare presentation to help convince the board to get ready for GDPR compliance, with a handy checklist and additional GDPR resources.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss the topic of GDPR and data protection in more depth or any aspect of IA and cyber security, please contact Dave James, MD at Ascentor.
This is a guest blog for Ascentor, written by Arianne Kitchener LLM.