The GDPR sets a higher bar for achieving consent to data processing than the outgoing legislation so guidance has been eagerly anticipated. The UK's ICO published draft guidance (guidance) together with a consultation in March 2017.
The ICO received over 300 responses to its consultation on the draft guidance. Having originally expected to publish a report on the responses and final guidance by June 2017, the ICO recently announced in a 'myth busting' blog, that a final version would only be published after the Article 29 Working Party has produced its own guidance which is due by the end of this year. The draft guidance does add some flesh to the bones of the legislation and should help data controllers understand consent under the GDPR and we agree with the ICO's own view that organisations should look to the draft guidance now, rather than hold off and wait for the final version.
Why has consent become such an issue?
Under the Data Protection Directive, consent is one of the grounds for the lawful processing of personal data. This remains the case under the incoming General Data Protection Regulation (GDPR), but the bar for achieving valid consent has been raised. While the changes to the drafting are small, the impact is significant, leaving many organisations struggling with the question of whether they will have to collect renewed consent from data subjects or rethink the grounds for lawful processing of the personal data they control altogether.
So when can you rely on consent to process personal data?
The overriding message is that consent can only be used as a grounds on which to justify data processing where it is the most appropriate of the six methods for establishing lawful processing. Consent should be thought of as “an organic, ongoing and actively managed choice”. It must only be used where the data subject has genuine choice and control (including the ability to withdraw consent easily). If the data would be processed anyway, with or without consent, then the processing should not be based on consent. Consent must, however, be obtained where no other lawful basis applies. This is in addition to any requirements under PECR (which are not entirely consistent).
What does this mean for you?
Organisations need to review their grounds for lawful data processing. For those organisations which rely on consent, consents need to be reviewed. Existing consents will remain valid under the GDPR, provided the GDPR requirements are met. Many organisations will, however, either need to obtain fresh consent or find another lawful basis for processing. This is particularly relevant for HR data, in the context of which, the ICO indicates it will be very difficult to meet consent requirements under the GDPR.
In addition, businesses will need to look closely at how they collect and record consent. The evidentiary requirements are more stringent under the GDPR and the validity of the consent will depend heavily on how it was obtained, including the degree of transparency, the method by which it was collected, the information given at the time of consent and the ability to withdraw consent without suffering detriment.
Where consent is relied upon, it will affect individuals’ rights: “people will generally have stronger rights when processing is based on consent. For example, the right to erasure and to data portability.”
When will consent be inappropriate?
The guidance also makes it clear that consent will very rarely be appropriate in an HR context because it is unlikely to be genuinely freely given, and that employers should look to base their processing on the ‘legitimate interests’ justification, or on another ground such as the processing being necessary for performance of a contract or due to a legal requirement. Consent is also inappropriate where it is required as a precondition of accessing services.
The guidance suggests that legitimate interests can include commercial benefit unless that is outweighed by harm to the individuals’ rights and interests. One of the main tools in helping preserve the appropriate balance is transparency. In order to protect the individual, it must be made clear to them what data is being collected, how it is being processed and stored, and what it is being used for
What is needed for valid consent?
In order for consent to be valid, the ICO says:
- It must be freely given i.e. there must be genuine ongoing choice and control which includes being able to refuse consent without detriment and being able to withdraw it easily.
- Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity as well as the information about the right to withdraw consent at any time. It should also name third parties who will rely on the consent.
- Consent requests must be prominent and unbundled from other terms and conditions, concise and easy to understand and user-friendly. They should be granular and specific.
- Consent should be obvious and require a specific positive action to opt in – this does not have to be in words but there must be a clear signal of agreement, for example, signing consent, oral confirmation, a binary choice or switching technical settings away from default. This does leave room for implied consent in some circumstances where there is a positive action of agreement (e.g. an individual drops a business card into a prize draw box), but it would not extend beyond the obvious and necessary.
- Pre-ticked boxes are specifically banned and opt-out boxes are banned by implication.
- Explicit consent must be expressly confirmed in words (either oral or written), rather than by any other positive action.
- There is no set time limit for consent. How long it lasts will depend on the context so it should be reviewed and refreshed as appropriate.
- Parental consent will always expire when the relevant child reaches the age at which they can consent for themselves.
Obtaining, recording and managing consent
The guidance also deals with how to obtain, record and manage consent. The ICO acknowledges the tension between ensuring consent is sufficiently specific and making it easy to understand. This means that it may not be possible to get blanket consent for a large number of parties, purposes or processes. In any event, consent should be granular so separate consents should be obtained for different types of processing unless there are good grounds for bundling them together. People should not be obliged to agree to all or nothing. Methods which can be used include:
- signing a consent statement in paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link;
- selecting from equally prominent yes/no actions;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent;
- answering yes to a clear oral consent request; or
- volunteering optional information for a specific purpose.
The use of ‘just in time’ notices is recommended and the most user friendly method should be used. This is particularly the case for online consent where the prominence of the request should correspond to the privacy impact. Data subjects do not have to create an online account in order for consent to be obtained but if a temporary session is used and consent is not obtained, all data must be deleted. In order to record consent in line with the GDPR, there must be an effective audit trail of how and when consent was given, for example, using a cryptographic hash function to support data integrity.
Good records must demonstrate:
- who consented;
- when they consented;
- what they were told at the time;
- how they consented; and
- whether they have withdrawn consent and if so when.
Good management practice includes providing preference-management tools like privacy dashboards or other easy ways to withdraw consent or manage preferences. It must be as easy to withdraw consent as it was to give it. Thought should also be given to when and how consent should be refreshed.
For those organisations which rely on consent as a lawful basis for processing under the GDPR, provided the GDPR requirements are met, there will be no need to obtain fresh consent. Many organisations will, however, either need to obtain fresh consent or (for example, employers) find another lawful basis for processing.