The Article 29 Working Party gave us its draft consent guidelines for Christmas. There are some areas of confusion which we expect to be ironed out by the final version.
What’s the issue?
Under current EU data protection rules, many organisations have relied on consent as the lawful basis for the processing of personal data, often using it as a ‘fall back’ position where other lawful bases may be hard to pin down. Under the incoming GDPR, there will be an enhanced consent requirement whereby consent must be freely given, specific, informed and a clear indication of the data subject’s wishes. In addition, it must be capable of being withdrawn without detriment to the data subject, and the data controller must be able to demonstrate valid consent was obtained prior to the relevant processing.
What’s the development?
The Article 29 Working Party (made up of European data protection regulators) has published draft guidance on consent for consultation. This adds flesh to the bones of the legislative provisions and answers some (although by no means all) of the questions data controllers may have around GDPR consent.
What does this mean for you?
Organisations relying on consent need to review their current consents to ensure they are GDPR-compliant. If the review reveals that the consent will not be valid under the GDPR, there is a one-time window of opportunity to get GDPR consent or to change the lawful basis on which the relevant processing takes place.
Going forward, organisations need to be very careful about choosing to rely on consent as, despite some confusion on the point, it appears that they will not be able to choose another lawful basis on which to rely for that processing, in the event that consent is withdrawn. Employers should note that they are very unlikely to be able to get a valid consent in an HR context.
The lawful basis for each processing purpose needs to be identified before the processing takes place. If consent is chosen, valid consent has to be obtained in a demonstrable and compliant way, before the processing takes place. This means organisations will need to implement appropriate procedures and systems to put the GDPR consent requirements into effect.
It is to be hoped that some of the more confusing and contradictory elements of the guidelines will be refined by the final version but, in the meantime, they are, for the most part, helpful.