There is much discussion around the matter of consent, and sadly there are many misconceptions that are leading to concern about how to obtain it.
It is not true, for example, that data can only be processed where consent has been given. There may well be an alternative basis on which data can be processed.
Whilst you must have a legal basis for processing under the GDPR, consent is only one of six ways you can process data legally. Article 6 of the GDPR sets out the following:
- Legal obligation
- Vital interest
- Public interest
- Legitimate interest
It is worth considering which basis best fits your organisation and its way of working. Consent may not be the best fit. It is important to document your decision-making in relation to which basis you will rely upon for the data processing your organisation carries out, and there may well be more than one.
Where you do rely on consent as your basis for processing, there are guidelines to follow. The GDPR has set a high standard for the basis of consent. If you rely on consent it must be “freely given, specific, informed and unambiguous.” It must also be given by clear affirmative action.
It is important to remember that the legal duty rests with the controller/processor to prove that you have the correct consent in place.
Once you have obtained consent, for example, to process an individual’s data for the purposes of marketing, that consent stands until it is withdrawn. However, it is good practice to refresh your consent if anything changes or if you have not been in regular contact with people. If you rely on parental consent, as children become of age it is important to refresh your consent so they can consent for themselves as adults.
The GDPR makes it clear that you must make it easy for people to withdraw their consent at any time. A process should be put in place in your organisation to ensure you do not continue to process the data of an individual who has withdrawn the consent which you rely upon.
Key points to remember when relying on consent:
- Consent must be a positive opt-in, not a default of another process.
- Use simple straight-forward language which is specific when requesting consent.
- Ensure you keep good records of the consent you have obtained, what the individual was told and how they consented.
- Remember there might be a more appropriate basis for you to rely upon; contractual, for example.
- Keep the process of obtaining consent separate from existing T & Cs.
- Consider if you are using special category data under the GDPR for which you would need to obtain consent to legitimize the processing.
- Remember failure to opt out is not consent. The individual must know they have given consent.
Please refer to the following guide available on the Information Commissioners website which provides greater detail around all of the points mentioned above.
Have a look at our other GDPR blogs to help you prepare for the 25th May:
- Getting Started with GDPR
- GDPR: Continuing the Journey to Compliance
- GDPR: The New Data Protection Fee
Please note: This article is a commentary on general principles and should not be interpreted as advice for your specific situation.