Welcome to the next blog in our series on the GDPR. This is the next blog in the series and covers the most demanding area of the GDPR: the issue of consent.
The GDPR demands a very high standard for consent. However, do it well, and it puts individuals in control of their personally identifiable data while aiding organisations to build customer trust and enhance their reputation. On the contrary get consent wrong, and the penalties could be severe regarding both monetary fines and damage to company reputation.
Consent is such a significant area of the GDPR that Birmingham City University, amongst others, has ongoing PhD research surrounding the concept of consent and the GDPR.
Organisations should review how they obtain, record and manage consent to determine whether any changes are required to comply fully with the GDPR.
In particular, this article will focus on defining consent, how consent is obtained, how approval is recorded and the individual’s right to withdraw consent without penalty.
What is consent?
The basic concept of consent as a lawful basis for processing personal data is already in place within the Data Protection Act 1998 (DPA), and indeed the definition and role of consent is very similar under the GDPR. The GDPR does, however, build on the DPA standard of consent, incorporating greater detail from and the codification of existing European good practice
In particular, the GDPR requires far more granularity within the mechanisms for consent, opt-in methods, records of consent and most importantly simple and easy-to-access ways for consent to be withdrawn. The GDPR ultimately defines consent as an ‘ongoing and actively-managed choice’ by both the organisation and the individual. The era of the one-off compliance tick-box and a file and forget the concept of consent is history.
To highlight the changes to the standard of consent it is worth looking at the definitions of consent in both the DPA and the GDPR:
DP Directive definition:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Key elements of the consent definition remain: consent must be freely given, specific, informed, and there must be an indication signifying agreement. The specific requirement that the receipt of the appropriate consent is to be unambiguous reflects the elevated standard required under the GDPR.
Having seen the differences above it must be pointed out that there is no requirement to obtain fresh consent in preparation for the GDPR. Organisations need to be certain that they have an individuals’ consent to process their data that meets the GDPR standard in being specific, granular, clear, prominent, opted-in, properly documented and easily withdrawn. Even if one of these areas is uncertain, fresh GDPR-compliant consent, or an alternative to consent, should be sought.
Consent must be given freely, for a specific purpose, and the individual (data subject) giving consent must be given informed and unambiguous information. There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. The requirement for consent must also be separate from other terms and conditions. Organisations are also required to have clear and simple methods in place for data subjects to withdraw consent.
Consent also has to be verifiable, and data subjects will have enhanced rights when organisations, especially employers, rely on consent to process their data.
Organisations controlling data are required to name any third parties relying on the data subject’s consent to process their data. For example, an organisation that provides goods to consumers and relies on a courier to deliver the order must notify the data subject at the time the order is placed that their personal-data will be passed to the courier firm for the fulfilment of the order. However, the organisation must not make consent a precondition of service or offer.
The GDPR sets out specific provisions with relation to children’s consent for online services which are beyond the brief outline covered by this blog.
Under the GDPR organisations are required to keep evidence of consent, a record of what data subjects were told and when and, of course, a clear record of what exactly they have consented to. Organisations must also ensure that consent is refreshed if anything changes within the organisation – such as governance or ownership.
Withdrawal of consent
Within the GDPR consent has to be easy to withdraw. The Regulation states specifically that an individual’s ability to withdraw their consent must be as easy as it was for them to give consent initially. Data subjects must be told when they give their consent that they have the right to withdraw their consent at any time, and be told how to do this.
It is critical that no imbalance in the relationship between the organisation and the individual ensues if consent is withdrawn. Indeed, under the GDPR very serious penalties apply if there is substantive proof of imbalance in the relationship following the withdrawal of consent by the data subject. This could lead to a fine at the highest administrative level – currently 4% of annual global turnover or £20m, whichever is higher. It is vital to get this right.