Under the GDPR, data controllers must identify their lawful basis for processing an individual’s personal data. There are 6 to choose from and perhaps the most widely misunderstood one is the basis of Consent.
What is GDPR Consent?
At first glance, it may seem that Consent is the best lawful basis to choose for a particular data processing activity (eg direct marketing), but the GDPR standard for consent is very high. Data Controllers should take time to consider all the available lawful grounds and decide if Consent is truly the most appropriate one for the processing.
The Article 29 Working Party (now the European Data Protection Board) guidelines on Consent under the GDPR states:
“Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is offered a genuine choice with regard to accepting or declining the terms offered or declining them without detriment. When asking for consent, a controller has the duty to assess whether it will meet all the requirements to obtain valid consent. If obtained in full compliance with the GDPR, consent is a tool that gives data subjects control over whether or not personal data concerning them will be processed. If not, the data subject’s control becomes illusory and consent will be an invalid basis for processing, rendering the processing activity unlawful”
So how do you determine if Consent is the best lawful basis for your processing activity? Let’s breakdown the elements of Consent. GDPR compliant Consent is:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
“Freely Given” means that a person must be provided with real choice and control over multiple purposes of processing. A person should also be able to refuse or withdraw their consent in a manner that is as easy as it was to give consent, eg, anyone who ticked a box on an online form, to subscribe to emails, they should have a similar, one-click method to then unsubscribe from those emails.
Additionally, consent typically will not be considered freely given where there is a “clear imbalance between the data subject and the controller” (e.g., between an employee and employer), or where the giving of consent is incentivised, for example, where a company offers a prize or something of high value to get people to sign up to their weekly marketing emails.
Specific and Informed
Consent must also be specific — i.e., it must be tied to “one or more specific purposes” and the data subject must have a choice in relation to each. So, where consent for multiple purposes was previously bundled together on consent forms, much more granular consent forms are starting to appear.
Consent must also be informed. This means that at the least, the individual should be informed of the data controllers identity, what kind of data will be processed, how it will be used, safeguards that are in place (eg, to protect against a breach), use of data in automated processing and potential of transfers to another country. They also must be told of their right to withdraw consent at any time. This information must be in an easily accessible form, must use clear and plain language and must be communicated prior to obtaining their consent, to ensure that the individual understands what they would be agreeing to.
Finally, consent must be unambiguous. The data subject must indicate their wishes by a statement or by a clear affirmative action signifying their agreement to the processing of their personal data. Because of this, “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.”
How long consent lasts will depend upon the individual context, so organisations must determine the duration themselves. This also means justifying, when challenged, why it has chosen the data retention period. This aspect must be documented and form part of an organisation’s records of processing activities.
Data subjects have the right to withdraw consent at any time, and withdrawing consent must be as easy as giving it. Companies must also Keep an audit trail for consent – who consented, when they consented, what they were told at the time, how they consented and if consent has been withdrawn (include date, time and method of withdrawal)
Do I need Consent?
Is Consent the best lawful basis for your data processing activity? Familiarise yourself with all the legal grounds available to you under the GDPR (article 6) and if Consent is the most appropriate, consider these next steps:
- Review your current consent forms – do they ensure consent is “freely given, specific, informed and unambiguous” as per the descriptions above?
- Ensure you have told individuals they can withdraw their consent and how to do it
- Confirm that you are keeping detailed records of consent on file (who, when, what they were told, how they consented and if consent has been withdrawn)
- Create a process for managing consent – review regularly to ensure the purpose of processing has not changed, refresh consent at appropriate intervals, process withdrawals of consent immediately.