Consent is one of the grounds for lawfully processing personal data under the current Data Protection Act 1998 and will remain so under the General Data Protection Regulation (GDPR).
`Consent' is a concept that frequently confuses people. Many organisations appear to ask for consent when they already have another lawful basis for processing. Asking for consent when it is not required could mislead the individual into thinking that they can prevent the processing by withdrawing that consent.
Consent can also be particularly problematic when the individual does not have a genuine choice to withold consent (for example, in an employer/employee relationship).
Under the GDPR, the concept of consent is being strengthened, with a number of new rules, requiring organisations to provide more transparency.
The Information Commissioner's Office (ICO) has published draft guidance, which seeks to help organisations better understand the concept of consent. You can access that guidance here: http://brodi.es/2nDjxpS
What's changing under the GDPR?
In addition to the existing requirement that consent is freely given, specific and informed, consent must be `unambiguous' and given `by a statement or clear affirmative action.'
The GDPR introduces a number of other changes:
Unbundled - consent should be set out separately from the acceptance of other terms and conditions requests.
Active opt-in - organisations must use unticked boxes or similar. Pre-ticked boxes or the requirements to opt out will generally be invalid.
Granular - separate consent should be sought for different types of processing.
Named - each party relying on the consent needs to be clearly identified. The ICO's view is that `even precisely defined categories of third party organisations' will not be sufficient.
Documented - organisations need to keep records showing what an individual was told, what they consented to and when and how consent was given.
Easy to withdraw - it must be as easy to withdraw consent as it is to give it. Individuals need to be told that they have the right to withdraw consent.
No imbalance - organisations cannot rely upon consent where there is an imbalance in the relationship so the individual doesn't have genuine choice. Consent may be particularly difficult for public authorities and employers.
Do I need to `re-paper' my existing consents?
In all likelihood, yes. The ICO's view is that there is no express requirement for organisations to seek fresh consent from individuals upon the GDPR coming into force, provided that the organisation is comfortable that the consent that was obtained complies with the requirements of the GDPR.
If the organisation cannot demonstrate that it has obtained GDPR compliant consent, then fresh consent will be required.
Given the stricter rules under the GDPR, it is likely that many organisations will need to refresh their consents in advance of May 2018. Organisations will need to be particularly careful when dealing with individuals that have opted out of electronic marketing.
Of course, these stricter requirements for consent may make it more attractive for organisations to look for other lawful justifications for processing in preference to consent.
What about sensitive personal data?
The GDPR requires that consent for processing sensitive personal data is `explicit.' Explicit consent is also one of the gateways to carrying out automated decision-making.
The ICO states that explicit consent cannot be implied from a person's actions. There must be a clear, affirmative, statement for example, ticking a box next to a clear statement such as "I consent to..."
In contrast, the ICO's view is that consent can be implied for non-sensitive personal data provided that there is some clear and unambiguous act (for example, leaving a business card to enter a prize draw, which the guidance says is "arguably still implied rather than explicit").
Organisations that need explicit consent for processing should ensure that consent is based on a clear expression of consent.
Is there anything else to be aware of?
- Consent needs to provide individuals with a genuine choice. The ICO's view is that consent cannot be a precondition of a service. Instead, look at other grounds for processing for example, that the processing is necessary for the performance of a contract, or it is in the organisation's legitimate interests.
- Consent is not available where there is an imbalance between the organisation and the individual. The GDPR makes specific reference to public authorities. Public authorities will also lose the ability to rely upon the legitimate interests condition, which means that they will need to think very carefully about the lawful basis for their processing.
- Special rules apply in relation consent from children to use websites and apps. If the child is under 16 (or 13, if the UK opts to apply a lower age) then any consent will need to be provided by a parent or guardian.
- Consent needs to be kept under review. It should not be viewed as a one-off activity and may require to be refreshed from time to time.
- look at their existing use of consents;
- work out whether consent is the most appropriate basis for the processing; and
- consider whether those consents need to be refreshed and if so, how that can be done.
This will require organisations to look not just at their electronic consents, but also at their historic, paper-based consents, which will be a sizeable task.