Consent from the data subject was a ground for legal processing under the DPA and it remains so under the GDPR. However, the GDPR imposes more stringent requirements on consent, meaning that organisations will need to revisit the ways in which they obtain consent from data subjects for the processing of their personal data. There is also a higher threshold for the consent of children.
How does this concept differ from the current position?
In order to be able to lawfully process an individual’s personal data, an organisation must be able to establish a legal basis under Article 6 of the GDPR. One of the grounds for lawfully processing data is consent of the individual whose data is being processed. Consent under the GDPR must be:
- Freely given rather than a data subject feeling like they must consent due to an imbalance between the subject and the controller (especially where the controller is a public authority), or the controller making data processing a condition for the performance of a contract (e.g. a service). Consent is presumed not to be freely given if the data subject does not have a genuine free choice or if they are put at a disadvantage by withdrawing or refusing their consent.
- Specific and informed – the individual must be given sufficient information regarding the controller, the purpose(s) of the processing and consent cannot be ‘bundled’ together where different processing activities are taking place. Where different processing activities are taking place, consent must be given to such activities separately.
- Distinguishable and in clear and plain language where consent is given in a written document which also concerns other matters (for example, terms of service).
- Given by an affirmative action – inactivity (e.g. pre-ticked boxes) cannot constitute consent. However, consent through a course of conduct remains valid.
- Verifiable – the controller must maintain a record.
- As easy to withdraw as to give –the individual must be given the right to withdraw consent at any time. Individuals should be made aware of this right prior to them giving consent and on a continuing basis.
Consent must be explicit if you are processing sensitive personal data or transferring personal data outside the EU. Explicit consent cannot be obtained through a course of conduct.
What is the impact for organisations?
Recital 171 of the GDPR states that where the consent an organisation obtained under the DPA fulfils the standards for consent under the GDPR, that organisation will not need to obtain consent again from the individual in question.
If organisations rely on consent as a basis for processing data they should start reviewing the consent obtained to verify whether it complies with the higher standard under the GDPR. If it does then very little change will be required. If, however, it does not, organisations will need to start making steps to meet these standards, or they will have to cease processing of personal data.
What action is required?
- Review the way you obtain consent to confirm it meets the requirements of the GDPR. For example, not using pre-ticked boxes. Do not rely on inactivity of the data subject by way of consent.
- Implement a process to manage requests to withdraw consent. Questions to think about include: how the individual can request the withdrawal and how you will record and act upon the request for withdrawal.
- Keep a clear and up to date log of when and how consent was obtained.
- Keep the individual informed of the purpose(s) of the processing, the name and contact details or your organisation and any further important details.
- Companies should start reviewing and updating existing contracts, general terms and conditions, and other documents to make sure that the consent section is clearly distinguished and written in clear and unambiguous terms.
- Avoid making data processing a condition for performance of a contract, unless data processing is necessary for performance of that contract.