Introduction to Consent
Consent in data protection terms is a very hot topic at present as companies scramble to become GDPR compliant. Some of the headline grabbing changes that are coming are indeed a big shakeup – no automatic opt in, no non-disclosed uses of personal data, no pre-checked check boxes – but consent is not the only tool in a data processor’s kit.
The GDPR lists six legal reasons to process personal data, and ‘subject has consented’ is just one of them. Others include when obligated by contract (eg payroll), obligated by law (eg insurance investigation/court issue), in the subject’s best interest (eg medical intervention) and public interest (eg journalism).
There will be many cases where it is not necessary or even appropriate to get consent from a data subject before processing their personal data.
But if you are going to rely on consent as a legal basis for data processing, you need to know what consent means – how it is given, documented, and – crucially – how it is taken away.
Article 4 says Consent:
“Must be freely given, specific, informed and unambiguous indication of the data subject’s wishes in which he or she by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Recital 42 says that
“For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
An example of where consent might not be the go to solution would be payroll. An employee can’t give consent to use their banking details freely, because to refuse to do so would be to their detriment. Of course you still need to process your employee’s payroll – in this case Consent isn’t the way to go, but rather the second caveat of reasons to process personal data can be used, that ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment’
The GDPR states that the Data Controller must be able to demonstrate that the data subject has consented to the processing.
This means that checkboxes and menu options cannot start their life pre-ticked or pre-selected, and is one of the big changes the GDPR is bringing. The Controller must be able to demonstrate that the Subject was given a choice and decided to consent.
Consent must be able to be withdrawn at any time, and it must be as easy to withdraw consent as it was to give it.
In order to show compliance to Consent elements of the GDPR, there are three things to focus on implementing:
- That where it is appropriate to ask for consent you do so – and you explain why you’re asking, what you’re going to do with the consent and how long you’re going to do it for.
- That you record the decision.
- That the data subject can withdraw their consent at any time, and it be as easy to withdraw as it was to give.
How much you are affected by the changes to consent brought by the GDPR will depend mostly on what you do. Marketing companies, and anyone who is involved in the buying and selling of user data will see big changes ahead. SMEs and the majority of day to day individuals may only really experience consent from a personal point of view, as they are asked to re-opt in to mailing lists, or start to see longer explanations on web forms.
Will the changes to consent reduce the amount of spam we all receive?
Probably not – but it will give us a new reason to be annoyed by it.
The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.