Consent can only be obtained through offering individuals genuine choice and control over the lawful processing of their personal data.
Previously, consent could be implicit or you could rely on ‘opt-out’ consent in some circumstances (B2B email for example), the GDPR now requires a very clear and specific statement of what the data subject is consenting to.
Online solutions can be very fragmented these days because they might be made up of lots of different parts (third party apps etc.) and that could mean way more people and organisations than you realise have access to the personal information you share. The GDPR aims to limit this exposure and to protect individuals from exploitation and identity theft.
Data collected under the Data Protection Act
There’s no obligation to automatically refresh all existing consents collected under the DPA if they already meet the GDPR standard.
However, if the method previously used to obtain consent doesn’t meet the new standard set by the GDPR consent must be re-obtained to ensure that the continued processing is fair and has a lawful basis. If you are unable to re-obtain permission in this scenario then further processing must be stopped immediately.
In all cases, consent must be properly documented and compliant mechanisms put in place for individuals to withdraw their consent easily.
What you need to do
First, review current consents that have been obtained from individuals. Then you can decide whether that consent is the most appropriate basis for processing, whether it needs refreshing and if so, what form it would take and how you could most efficiently work through that process.
Next, discuss the outcomes with your tech provider (website, CRM, etc.) so that you can action a plan to manage this new form of obtaining consent online.
Working through the above process is critical in ensuring you know what is specifically required in order to obtain lawful consent from individuals.
Keep in mind that all in all cases, the methods used to obtain consent must be unambiguous and must also offer a clear affirmative action.
Is consent alway required?
Consent is not always required. If obtaining consent is too difficult, look at whether another lawful basis is more appropriate. Always question what the true nature of your relationship with an individual is and why their data is being processed by you.
When considering alternatives to obtaining consent it’s important to understand the circumstances that are permissible by the GDPR that would allow for the lawful processing of data:
- A contract with the individual
e.g. to supply goods or services they have requested, or to fulfill your obligations under an employment contract. This also includes steps taken at their request before entering into a contract
- Compliance with a legal obligation
if you are required by UK or EU law to process the data for a particular purpose, you can
- Vital interests
e.g. if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else
- A public task
if you need to process personal data to carry out your official functions or a task in the public interest, and you have a legal basis for the processing under UK law, you can
- Legitimate interests
if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests
Consent done properly
Making requests to individuals for request to process their data should be clear, concise and separate to your terms and conditions.
Whenever requesting consent your organisation should always be named, along with any third parties who will rely on the consent. You must state why the data is required, what will done with the data and also be explicit about their right to withdraw that consent at any time.
Recording an audit trail of how and when consent was obtain needs to be kept so that if compliancy is ever challenged in the future information is available to prove the details. The contents of any audit trail records should include details of the individual, date and time, brief details of the request, the method used to obtain consent and the status as to whether that consent has been withdrawn.
Providing individuals with ongoing choice and control is the best approach to not only ensure compliancy with the GDPR but also to give individuals the confidence their personal data is being looked after in a secure and lawful manner.