Consent is a vital area for data protection compliance and even more so under the GDPR. The GDPR sets a high standard for consent and contains significantly more detail than previous data protection legislation, although the main principles remain unchanged.
In particular requests for consent must be provided in an easily accessible form and consent must be as easy to withdraw as it is to give.
Definition Under the GDPR
“Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
What Does the GDPR Definition Really Mean?
Under the GDPR the requirements for consent have been strengthened to require a positive and unambiguous action to ‘opt in’. Silence, pre-ticked boxes and inactivity will not constitute consent.
Consent requests must be kept separate from other terms and conditions. Where there are multiple processing activities, consent must be given for each separate activity otherwise it will not be valid.
What are the Significant Changes Brought in by the GDPR?
The GDPR significantly strengthened the standard of consent. Data controllers are required to give individuals more choice and control over how their data is used. Consent under the GDPR is no longer a one-off decision but an on-going issue to be carefully monitored. Individuals may withdraw their consent at any time without penalty, and the mechanisms for withdrawing consent must be as easy as those for giving consent.
Individuals must be given a genuine choice about whether or not they consent. If they do not have a choice then consent will not be deemed to have been freely given and will not be valid. Consent may also be deemed to be invalid where the subject has a choice, but the existence of an imbalance of power between the data subject and the organisation requesting consent means that such consent may not have been freely given as the data subject may have been under pressure (or may have felt under pressure) to give consent. This is most likely to occur in relationships between an employer and their employee. . In these circumstances, data controllers should look to the other options for processing to determine if there is another relevant condition present for the data controller to be able to process the data without the requirement for consent from the data subject. If you think you may have other grounds, it is important to explore those before seeking consent from a data subject. The ICO has emphasised that requesting consent from an individual would be considered “misleading and inherently unfair” if their personal data would still be processed on a different basis if consent was refused or withdrawn. If you intend to rely on an alternative ground if consent is refused, then the request for consent was not a genuine choice.
If no other options are available and consent is required, the GDPR imposes a greater obligation on data controllers than under the previous data protection legislation. There is a requirement to demonstrate that a data subject has consented to the processing of their personal data by keeping a record of:
- the information given to individuals as part of the request (e.g. purpose for which the data was required);
- how and when the consent was given; and
- what the individual has consented to.
You must ensure that there are no penalties for refusing consent and provide convenient ways for data subjects to withdraw their consent at any time.
What Effect has this had on UK Businesses?
The concept and definition of consent remains largely unchanged by the GDPR however the mechanisms through which consent may be obtained have seen significant changes and obtaining consent is now much harder with the additional requirements as set out in more detail below.
The effect on UK businesses will depend on whether consent is the legal basis upon which processing is carried out. Any businesses that processes data based on consent from the data subject will need to ensure they have satisfied the conditions for valid consent.
Processing data without a valid consent or particularly in the imbalance of power situation, could not only lead to a hefty fine, but could also cause reputational damage.
What Should my Business be Doing?
If you haven’t already, you should review your consent practices and existing consents as these will need to be updated if they are not GDPR compliant. The key changes you will need to make include:
- Separating any requests for consent from your main terms and conditions. Consent should not be bundled up as a condition of service unless it is absolutely necessary for that service.
- Removing any pre-ticked opt in boxes. Any binary choices should be given equal prominence.
- Giving users more options so they can consent to different types of processing rather than using an ‘all or nothing’ approach.
- Providing details of your organisation and any third parties who will be relying on the consent.
- Ensuring you have mechanisms in place to record details of the consent given.
- Providing information on how to withdraw consent.