Consent is a vital area for data protection compliance and even more so under the GDPR. The GDPR sets a high standard for consent and contains significantly more detail than the DPA in relation to consent requirements, although the main principles remain unchanged.
In particular requests for consent must be provided in an easily accessible form and consent must be as easy to withdraw as it is to give.
Definition under the DPA
Consent is not defined in the DPA however the European Data Protection Directive (‘EDPD’) defines consent as:
“Consent of the data subject means any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
What does the EDPD definition really mean?
Consent under the EDPD is fairly broadly defined and businesses are often able to rely on implied consent or consents bundled up in lengthy, incomprehensible terms and conditions.
The EDPD distinguishes between ordinary consent and explicit consent. Whilst ordinary consent will be sufficient to satisfy the condition for lawful processing, explicit consent will be required to process sensitive personal data.
Definition under the GDPR
“Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
What does the GDPR definition really mean?
Under the GDPR the requirements for consent have been strengthened to require a positive and unambiguous action to ‘opt in’. Silence, pre-ticked boxes and inactivity will not constitute consent.
Consent requests must be kept separate from other terms and conditions. Where there are multiple processing activities, consent must be given for each separate activity otherwise it will not be valid.
What are the significant differences between the DPA and the GDPR?
The GDPR significantly strengthens the standard of consent and requires data controllers to give individuals more choice and control over how their data is used. Consent under the GDPR is no longer a one-off decision but an on-going issue to be carefully monitored. Individuals may withdraw their consent at any time without penalty. The mechanisms for withdrawing consent should be as easy as those for giving consent.
Individuals must be given a genuine choice about whether or not they consent. If they do not have a choice then consent will not be deemed to have been freely given and will not be valid. In the GDPR this is expressed as the existence of an imbalance of power between the data subject and the organisation requesting consent such as an employment relationship. Even if consent is obtained, it may be deemed to be invalid under the GDPR due to that imbalance of power meaning that the consent is not freely given. In this instance data controllers should look to the other options for processing to determine if there is another relevant condition present for the data controller to be able to process the data without the requirement for consent from the data subject.
If no other options are available and consent is required, the GDPR imposes a greater obligation on data controllers than is currently present in the DPA. There is a requirement to demonstrate that a data subject has consented to the processing of their personal data by keeping a record of:
- the information given to individuals as part of the request (e.g. purpose for which the data was required);
- how and when the consent was given; and
- what the individual has consented to.
What effect will this have on UK businesses?
The concept and definition of consent remains largely unchanged by the GDPR however the mechanisms through which consent may be obtained will see significant changes and obtaining consent is likely to be much harder with the additional requirements as set out in more detail below.
The effect on UK businesses will depend on whether consent is the primary legal basis upon which processing is carried out. As many businesses process data based on obtaining consent from the data subject, all of those businesses will need to ensure they are aware of the conditions they must satisfy to obtain valid consent.
Processing data without a valid consent or particularly in the imbalance of power situation, could not only lead to a hefty fine, but could also cause reputational damage.
What will my business need to do?
You should review your consent practices and existing consents as these will need to be updated if they are not GDPR compliant. The key changes you will need to make include:
- Separating any requests for consent from your main terms and conditions. Consent should not be bundled up as a condition of service unless it is absolutely necessary for that service.
- Removing any pre-ticked opt in boxes. Any binary choices should be given equal prominence.
- Giving users more options so they can consent to different types of processing rather than using an ‘all or nothing’ approach.
- Providing details of your organisation and any third parties who will be relying on the consent.
- Ensuring you have mechanisms in place to record details of the consent given.
- Providing information on how to withdraw consent.
Do I need to obtain further consent if consent is already in place?
Not necessarily. If your current processes and records are compliant with the GDPR, there’s no need to reobtain consent. If you are not compliant then processing of that data should stop until you can demonstrate you have obtained valid consent from all data subject or you have an alternative legal basis for processing.
How long does consent last?
There is no specific time limit for consent under the GDPR. Consent will continue until it is withdrawn however it will only apply to the specific purpose for which it was given. If the purpose or methods used to process the data change then fresh consent will be required. It is good practice to periodically check with individuals that they still consent to the processing of their personal data. If consent is withdrawn, the data may no longer be processed unless another legal basis applies.
How should I manage withdrawing consent?
The ability to withdraw consent to processing must be exercisable at any time. Providing an ‘opt out’ link in any email or other correspondence may not be sufficient for GDPR compliance. If possible, you should ensure that individuals are able to withdraw consent in the same manner as it was given. Importantly, there should be no penalty imposed for individuals who choose to withdraw consent.
What is ‘explicit consent’?
Explicit consent is not defined in the GDPR but is likely to be very similar to the definition of consent. The main difference is that explicit consent must be affirmed in a clear statement, either in writing or orally. Depending on the circumstances, consent by way of an affirmative action may not be deemed sufficient to be explicit consent.
Example: You ask your customers for their email addresses and you tell them that you will use their email address to send them information about your products. By giving their address, the customer has made a specific, informed choice to consent to those emails. This is still likely to be implied consent rather than explicit. A tick box with the statement “I consent to receive emails about your products” would be considered explicit consent.
What are the alternatives to consent?
Consent is only one lawful basis for processing data and it can often be the most difficult, there are many others including:
- The existence of a contract with the individual – e.g. to supply goods and services that requires processing of personal data.
- Compliance with a legal obligation – e.g. you are required to process data by UK or EU law
- Vital interests – you can process personal data if it’s necessary to protect someone’s life
- A public task – if you are a UK public authority this is likely to give you a lawful basis for many if not all of your activities
- Legitimate interests – if you are a private organisation you can process personal data without consent if you have a genuine and legitimate reason
Why do I need to obtain consent if there are alternatives?
Whilst often difficult to obtain, consent is the only reasonable option in certain cases and in those cases it can legitimise restricted processing. Explicit consent obtained from a data subject for the use of sensitive personal data, automated decision making (including profiling) and overseas transfers is able to legitimise this processing which may be difficult to do using any of the other lawful reasons for processing.
In these cases, where other options for processing are limited, the compliance with the GDPR requirements for consent is crucial.
- DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
- EDPD means the European Data Protection Directive 95/46/EC, the EU directive that the DPA gives effect to in the UK.
- GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.