With the GDPR now less than 8 months away from becoming enforceable, businesses all over the EU and indeed any company that conducts business with EU citizens are scrambling to prepare in time for the legislation. The upcoming General Data Protection Regulation was designed to give back clarity and control to users about how their sensitive data is being processed and held, but has led to quite a bit of confusion for businesses about how this will actually work. Most people will have heard about the increased fines, as regulators can now fines offending bodies up to €20 million or 4% of global turnover, but there is a lot of confusion and indeed misinformation and misinterpretation out there to make the process even more difficult. To this end, there’s a few things we’d like to set the record straight on, particular around consent. Over the coming weeks and months we hope to provide more guidance of areas prone to misinterpretation, so stay tuned!
Myth: You must always have consent to process someone personal data.
With the stakes so high, it can be hard to tell the difference between important guidance and scaremongering when it comes to the GDPR
Fact: Consent is not always required and in some cases may not be relied upon as a lawful reason.
What is Consent?
One of the key principles of the GDPR is consent, and this word has understandably been thrust to the forefront of the conversation. Consent, in its most simple form, is permission from an individual that their data may be held and/or processed by an organisation for a specific purpose. The precise regulation terminology states, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
How Can Consent be Obtained?
Consent can obtained a number of ways but must be always obtained through clear, affirmative action on the part of the user. The GDPR signals the end of pre-ticked website check boxes, as this may cause users to inadvertently give consent, instead of clearly understanding and freely giving consent for their data to be processed. In obtaining consent, it is very important that every time/place (be it online or in paper form) that a user is asked to give their consent, what they are consenting to and what their data will be used for must be in plain explained to them in plain sight.
Do You Always Need Consent?
Not necessarily. For many activities such as marketing to prospective clients and current customers, consent will be definitely be required. However, there are actually a number of different lawful bases of legally processing personal data such as; conditions where data processing is necessary for compliance of legal obligations; performance of a task carried out in the public interest; legitimate interests of the controller or third party; for performance of a contract. There are also additional lawful bases for sensitive data etc. The ICO has posted this list of processing conditions, including conditions for special categories of data. We recommend you also refer to Articles 6-10 of the GDPR for more information.
What Data Should Be Processed?
The GDPR mandates that only data which is required for a specific purpose be obtained, with clear explanations of why the data is necessary. For email marketing, a user’s name and email address might be required, but their employment status and gender would not. Which data is required will vary greatly depending on the purpose for which it is required, but companies will not be allowed to request or obtain any unnecessary personal data.
How Long is Consent Obtained For?
Consent extends only to the length of time where it is required for the specific purpose that the user consented to. This means if you hold details of a previous customer and no longer require their data for an active purpose, then you must either delete the data or obtain consent to continue retaining it to provide a better service to them in the future. Companies are advised to have a clear retention policy on their data and routinely purge any which is no longer required. In addition to this, another EU regulation called the ePrivacy regulation, which currently is in draft form and due for enforcement next year (rumors suggest it will be delayed), proposes that consent be reconfirmed every 6 months. Again stay tuned, we will provide updates as we know more.
Can Consent be Withdrawn?
Absolutely. The GDPR specifies that consent must be as easy to withdraw as it was to opt in too. Websites and businesses will require an “always available” opt-out mechanism, so that data subjects (i.e. the people) are in active control of their consent.
Does Consent Need to be Refreshed before the GDPR?
The ICO has issued draft guidelines advising that companies refresh any consent that does not meet GDPR standards before the regulation comes into full effect. However, a word of warning – be very careful about how you do this. Take note, as recently as March 2017, Honda and Flybe were fined a total of £83,000 for emailing subscribers to get re-affirmation of marketing consent, when they could not provide documented proof of consent in the first place to contact their subscribers. Businesses are also rightly concerned about their customer databases becoming devalued, with many choosing to wait until the EU releases more specific information before beginning this process. Due to the lack of clear guidance, this is largely an individual judgement call at the moment.
Does Consent Need to Be Documented?
Yes, this is another key principle of the GDPR, and one of the most manually intensive aspects. At the very least, you must document
– statements of the information you have collected, and the purpose for processing
– records of consent from data subjects
– records of processing activities under your responsibility
– documented processes for protecting personal data, such as technical measures in place
Still Confused About Consent?
Don’t worry, even though more specific guidance on the implementation of the regulation has yet to be published, there are already official draft guidelines available from the ICO, who have stated that it is unlikely to change significantly in its final form. You can view the ICO’s guidelines on consent here. This will provide a realistic base for companies and businesses to prepare in earnest for the GDPR, in order to avoid being handed down any fines when May 2018 hits. also Do stay tuned for future updates and guidance on consent in future blogs.