Consent to use data under the GDPR
There are six bases to legally process an individual’s data under the General Data Protection Regulation (“GDPR”) and offering people genuine choice and control over how their data is used ie by consent, is one of them.
This article reflects the draft guidance on consent issued by the Information Commissioner's Office (“ICO”) in March 2017 (“Guidance”). A final version of the Guidance is due to be published in June 2017, although this timescale may be affected by developments at European level. However, it is unlikely to change dramatically before the GDPR comes into force on 25th May 2018.
What’s new regarding consent under the GDPR?
The biggest change is that the GDPR sets a higher standard for consent than under the Data Protection Act 1998 - an indication of consent by an individual must now be ‘unambiguous’ and involve ‘a clear affirmative action’.
The other main changes are:
- Pre-ticked opt-in boxes are specifically banned.
- Consent should be separate from other terms and conditions.
- Clear records must be kept to demonstrate consent.
- There is a specific right to withdraw consent.
- Existing consents and consent mechanisms will need to be reviewed to check they meet the GDPR standard.
So how is valid consent to use data obtained?
- Positive opt-in - the individual must actively opt-in or choose to give their consent so that it is unambiguous and involves a clear affirmative action.
- Explicit consent - this is necessary in relation to processing sensitive personal data or any automated decisions using personal data. There is no definition of ‘explicit consent’ in the GDPR as such but ‘explicit’ consent must be confirmed in words in a clear oral or written statement (ie not simply by conduct or an action).
- Clear language - any request for consent must be prominent, concise, easy to understand and in clear and plain language. Technical or legal jargon and confusing terminology (eg double negatives) should be avoided.
- Freely given - consent must be freely given and there must be no imbalance in the relationship between the individual and the data controller. This will make it difficult for employers and for public authorities to rely upon consent and it may therefore be wise for them to use one of the alternative bases for legal processing (see below). Public authorities will often be able to rely upon the ‘public task’ alternative.
- Cover purposes - consent must specifically cover the purposes of the processing and the types of processing activity.
- Kept separate - consent requests need to be kept separate from other terms and conditions. They should not be a pre-condition of signing up to a service unless the consent is limited to what is necessary to receive the service.
- Third parties - the entity to whom the consent is being given must be identified. If third parties are also going to be relying upon the consent, they need to be explicitly identified.
- Right to withdraw consent - it must be easy for individuals to withdraw consent and they must be told how to do so. It must be as easy to withdraw consent as it was to give it in the first place.
- Children - if consent is being sought in the context of online services offered directly to children, age verification and parental consent measures must be in place. Parental consent expires at the age when the child reaches the age at which they can consent for themselves, which is likely to be 16.
What is not allowed?
- Pre-ticked boxes/consent by default - these are not permitted and a failure to opt-out will not be considered to be consent. Confirmation that an individual has read a set of terms and conditions will also be insufficient.
- Inconsistent language and consent methods - inconsistent language and methods should not be used across multiple consent options and vague or blanket wording should be avoided.
- General descriptions of third parties - when identifying the entity to whom the consent is being given, a general description of any third parties who will be relying upon the consent is unlikely to be acceptable. How this will apply in the context of group companies is unclear.
How should consent be recorded and managed?
- Keep records - evidence should be kept in relation to the consent given: who, when, what the individual was told, how they consented and whether consent has been withdrawn. Simply maintaining a list of names with some names marked ‘consent provided’ will not be enough.
- Review - regular consent reviews should be built into business processes eg by considering:
- renewal - previous consents may need to be renewed if they do not meet the GDPR standards for consent outlined above;
- refreshes - consents may need to be refreshed if something relevant has changed. Consent is seen as an ongoing choice which can be actively managed and is not a one-off election. The GDPR does not set a specific time limit for consent but how long it lasts will depend on the scope of the original consent and the individual’s expectations.
- Withdrawal procedure - proper withdrawal procedures should be in place so that the individual can opt out at any time they choose, on their own initiative.
Why is it important to get valid consent?
Whether you base processing of customer data on GDPR-compliant consent or rely on inappropriate or invalid consent can have different consequences:
- Getting it right - this means:
- giving individuals genuine choice and ongoing control over how you use their data;
- ensuring your organisation is transparent and accountable; and
- helping build customer confidence and trust and enhancing your reputation.
- Getting it wrong - this can:
- erode trust in your organisation; individuals are unlikely to want to engage with you if they think they cannot trust you with their data, you do things with it that they don’t want or expect or you make it difficult for them to control how it is used or shared;
- damage your reputation; and
- leave you open to substantial fines of up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.
What alternatives are there to process data lawfully other than by obtaining consent?
You can process personal data without consent if it is necessary for:
- A contract with the individual - for example, to supply goods or services they have requested or to fulfil your obligations under an employment contract.
- Compliance with a legal obligation - if you are required by UK or EU law to process the data for a particular purpose.
- Vital interests - if it is necessary to protect someone’s life.
- A public task - ie to carry out your official functions or a task in the public interest and you have a legal basis for the processing under UK law.
- Legitimate interests - if you are in the private sector and you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interest.
Remember that even if you are not asking for consent, you will still need to provide clear and comprehensive information about how you use personal data, in line with the ICO’s Code of Practice on Privacy Notices, Transparency and Control.
Further information
Additional details can be found in the Guidance itself.
We have also written some other articles on the GDPR: The Impact of the General Data Protection Regulation, in relation to limitation of liability and indemnities in the special context of data security, The General Data Protection Regulation - Apportioning Security Risk, and also on a related data protection matter, the EU-US Privacy Shield.
Otherwise, if you require any further information or have any queries on this topic, please contact us at info@TRGlaw.com.
26th April 2017