Consent is one of six lawful bases to process personal data. For consent to be valid, it must be:
- freely given;
- informed; and
- unambiguous in how it is provided by the relevant person.
Under GDPR, the Article 29 Working Party notes that when using consent as a basis to process personal data, the data subject should be offered control over what personal data are processed for what purposes. Also, the individual should be informed of the right to withdraw consent at any time. If there are multiple processing operations, the individual must be free which, if any, to choose. Should a data subject refuse to give consent to any processing activity, this must not result in any detriment to the data subject. At no times should a data subject feel compelled to give consent to a data controller. Data controllers must also be aware that consent cannot be validly obtained if hidden within terms and conditions, nor should it be bundled with or tied to other services or documents. If consent is given for a particular purpose, a data controller must always obtain fresh consent for any new purposes envisaged for such data if the data controller wishes to continue to rely on consent.
Controllers should keep records and evidence of any consent obtained and will be free to implement their own methods to comply with this. It is the explicit obligation of every controller to be able to prove that it has lawfully secured each data subject's consent. Evidence of consent obtained must be available for production as long as the processing of the data takes place. Once the processing has ended, details of the consent obtained should only be retained for as long as to comply with any legal obligations/claims.
The GDPR is set to overhaul existing compliance in relation to obtaining consent for data processing. In light of these new enhanced requirements, data controllers should be reviewing and assessing their current processes now in order to determine if they currently meet the standards that the GDPR requires.
The good news is that if current practices are in line with GDPR, then a refresh of all existing consents is not required. If current practices are not GDPR compliant, controllers will have to obtain updated consent and implement new GDPR compliant processes. In transitioning to GDPR ahead of the deadline, a controller may be able to validate existing processing currently based on consent by establishing a different legal basis under the GDPR for that data processing. Businesses should establish with legal advisors now that they have in place the correct legal basis for every processing activity because after 25 May 2018, it will be a difficult and expensive process, if possible at all, to switch from one legal basis to another.