Published: 10 March 2017
Area of Law: Data Protection, Database Theft, Intellectual Property
Consent under the GDPR – Time to Opt Out?
The Information Commissioner’s Office (ICO) has now published a consultation paper with its proposed guidance for consent under the General Data Protection Regulation (GDPR). It adds some significant flesh to the bare bone set out in the GDPR. Helpfully the guidance also sets out the key practical changes that businesses need to for consent to be compliant under the GDPR. In this blog we’ve outlined the key points from the consultation paper.
The guidance makes it clear that consent under GDPR will be a more limited and challenging proposition than under the Data Protection Act (DPA) and that a lot of what was previously taken as consent won’t hold water under the new regime. Before relying on consent businesses should consider whether there is another lawful basis for processing (in particular, for private sector organisations, the use of the legitimate business interest basis). The new regime may make more than a few organisations move away from consent as a basis of processing.
Consent must be a genuine choice. If the individual has no real choice, this will not be consent. If consent is bundled as a condition of a service, this will not be consent. Similarly if there is a significant imbalance of power between you and the individual, consent will not be considered to be freely given. The guidance makes it clear that for employers dealing with employees and for public authorities you should look for another basis for processing. Similarly, the guidance clarifies that it is inappropriate to refer to ‘consent’ in a document when the processing would take place (under another basis for processing) in any event.
Consent must be informed. The guidance states that as part of the process of requesting consent, you must identify both yourself and also name any third parties who rely on the consent. This is a significant change from the previous approach of asking for consent to pass the information on to ‘partners of our choice’. This imposes a significant challenge to businesses of identifying all potential partners at the time of seeking consent.
Consent must be specific. Where you are seeking consent for multiple purposes or multiple processing activities you must provide granular consent for each. Bundling together a raft of consents for matters which could otherwise be separated out will not, under the GDPR, be an acceptable approach. Processing for purposes outside of the original request for consent would require a further consent.
Consent must be given by a clear statement or action. The guidance reconfirms the position in the GDPR that you cannot rely on silence, inactivity, default settings or pre-ticked boxes as the basis for consent. Dropping a business card into a prize draw is still an example of consent by an action (but only for the purposes of the prize draw – the consent wouldn’t extent to other marketing activities). Businesses need to be able to demonstrate the action actively taken by the individual signifying their consent.
Consent degrades over time. How long consent lasts will depend on the specific circumstances. For instance consent given for a summer offer would expire in the autumn. For more general consents, if it is not possible to justify a longer period, the guidance recommends refreshing consent every two years.
Consent can be withdrawn. The GDPR requires that consent can be withdrawn at any time and that it must be as easy to withdraw as it was to give. The guidance confirms that where possible individuals should be able to withdraw their consent using the same method as when they gave it but that businesses should also provide both online preference management tools and other ways off opting out (such as customer service phone numbers). If consent was not originally given on-line it may not be enough to only provide an online opt-out.
You need to keep records. The GDPR requires that where processing is based on consent, the data controller can demonstrate that the data subject has consented to the relevant processing. The guidance requires that organisations must keep records that show: who consented, when they consented, what they were told at the time (and what they consented to), how they consented and whether (and if so when) they have withdrawn consent.
The guidance confirms that, provided consent was originally obtained in a manner that is compliant with the GDPR, consent does not need to be re-obtained. Given the details contained within the guidance, organisations who are relying on consent as the basis of any processing need to review the appropriateness of this approach and whether the consents as given do comply with the requirements of the GDPR. Organisations will also need to review their processes and procedures to ensure that they comply with the record keeping requirements as set out in the guidance.
Read our related blog: 5 steps to data protection compliance for more information