GDPR and consent to process personal data were a regular talking point in 2017, especially after the Information Commissioner issued draft guidance for consultation in March 2017.
The issue of the subsequent final guidance has been delayed a number of times, with February currently anticipated.
In the meantime, it’s possible to look at the GDPR and the draft guidance to draw some reasonable conclusions as to what the Information Commissioner’s expectations will be in the final guidance.
GDPR defines “consent” as:
“a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
It further says: “This could include ticking a box when visiting an internet website, choosing technical settings… or another statement or conduct which clearly indicates… the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
The GDPR also says that: “the controller must not simply obtain consent, it must also be able to demonstrate that the data subject has consented to processing of his data, meaning that records will need to be kept for consent to be verifiable” and “requests for consent in the context of a written declaration or that are pre-formulated must be presented in an intelligible and easily accessible form, using clear and plain language and (in the latter case) not including any unfair terms”
Finally, the GDPR gives a specific right to individuals to withdraw consent at any time.
Consent may prove difficult to obtain and you need to keep records to verify it.
If you have a sign up on a website, keep a screenshot of the page so you can verify the details people have signed up to. If you get consent in a paper format, scan them and retain them.
Consent also has to be regularly refreshed so you need to go back on a regular basis and ask the individual again if they are happy for you to continue processing their information.
What does regularly mean? well it depends on the type of information you have and what you are using it for. So put yourself in the individuals position and consider what you think to be reasonable.
For a newsletter mailing, it might be appropriate to check consent every two years. Once you have decided what the period will be make sure you document it as part of your processes. Then if you are asked to justify the decision, you have all the reasoning already in place.
Also with consent the individual can withdraw consent at any time, and this means you would need to stop processing their information. Sometimes it is more appropriate to use one of the other legal bases for processing and only use consent if you have to.
Remember to process the special categories of data or sensitive personal information, you may need consent to be able to do that.
What are the other options aside from consent?
The 6 methods for processing personal information are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
I’d suggest that the other five are your first consideration, with consent only being used as a basis where none of the others are applicable.
For example, information to verify a client’s identity under the The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) does not require consent as it’s processed to comply with a legal obligation.
Ian Cooley GDPR, Data Protection and Privacy Specialist at GDPR Advisors UK.