In order to process personal data in compliance with GDPR a legal basis is mandatory. Consent is but one of the 6 Legal Bases for processing personal data under the GDPR. With regard to the legal bases the GDPR in article 6 lists those legal bases which are (1) Consent of the data subject, (2) processing is necessary for the performance of a contract, (3) processing is in compliance with a legal obligation, (4) processing is necessary for protection of the vital interests of the data subject or other natural person, (5) processing of personal data is being carried out in the public interest and (6) and processing is carried out for the legitimate interest of the controller or by a third party.
This article will focus solely on where consent is used as the legal basis. Under the GDPR, as under the previous EU Directive, consent must be given freely, and it must be specific and informed. As this part has not changed from the current legislation, these aspects should already have been taken into account and your organization should already be compliant with them. What changes with GDPR is that the bar for obtaining consent has been set higher, under GDPR consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
Below, we list and briefly describe some of the most important points that must be adhered to. If the manner in which your organization previously acquired consent does not meet these standards, then your existing consent is not sufficient and is therefore not GDPR compliant.
This article will interchange between the terminology “company” or “organisation” as the GDPR applies to both.
Some Definitions
A “Controller” under GDPR is the organisation or company that determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients. The language that is used most consistently throughout the GDPR is “natural person” or ‘’data subject’’ and. The term ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article, data subjects or end clients or customers will be referred to as ‘’data subjects’’.
The term ‘processing’ means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 4 of GDPR contains a full list of definitions.
Consent must be Unbundled
Consent can no longer be given by data subjects as a part of agreeing to a larger set of general terms and conditions. The act of giving consent to process personal data must be a stand-alone, clear and separate action. Groups are also prohibited from making use of the service dependent on data subjects giving consent for their data to be collected and processed, unless the data obtained is specifically required and necessary for the service to be delivered.
Move away from Pre-ticked “opt-in” boxes
The GDPR notes that “consent should be given by a clear affirmative act” an active Opt-In. This means that the data subjects themselves must take an action which is clearly shown to be for the purpose of consenting to the use of their data. A pre-checked box does not meet this requirement, as the data subject would need to take an action declining consent as opposed to an action providing consent. People must actively opt-in for consent to be valid under the GDPR.
Silence is not consent
Similar to pre-checked boxes not meeting the “clear affirmative act”threshold for consent required by the GDPR, silence is also no longer valid as a method of obtaining consent. For telephone calls or other areas where silence was previously construed as consent (for recording a call, for example), the data subject will now be required to take action authorizing the use of their data. This could be in the form of verbally agreeing or pressing a button on a handset.
Separate consent should be sought for separate data uses – Granular Consent
If data is being collected with the intent to use it for different purposes, then organizations must ensure that consent is obtained for each purpose separately. This may mean that consent to store an email address in order to send a monthly newsletter may not be sufficient to use the same data to send weekly updates about upcoming sales or offers. This is part of the larger requirement of providing clear and informed consent.
All parties that Process personal data must be named
Every organization (data controller or processor) must identify themselves as well as any third parties (data processors or sub-processors) that may process the data when consent is being sought and the purpose which the personal data will be used for. The law mentions in Article 13 that data subjects must be informed of the “recipients or categories of recipients of the personal data, if any”when they grant consent for their data to be processed. Data subjects must be informed regarding the nature of the processing in clear and plain language.
Consent must be documented
Every aspect of the consent process must be comprehensively documented by organizations consent must be recorded by the company or organisation. As groups will need to be able to prove compliance to supervisory authorities and in case of audits. The GDPR specifies that “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.
E-mail Marketing Consent
When Marketing by e-mail to end user customers (data subjects) typically consent will be required although there are exceptions for Business to Business e-mails where typically an Opt-out applies as long as marketing is to a clear business email address.
There is also one exception to consent for end user customers. In the context of a sale marketing can be a legitimate interest where you sold a similar product in the past 12 months and the end user customer was given the option to opt-out but did not take it, this is called the Soft opt in. In the case of the Soft opt in and indeed any email marketing the customer must have the option to opt out on each subsequent communication. Email marketing is governed by GDPR but also the ePrivacy directive soon to be replaced by the ePrivacy regulation.
Explicit Consent
The GDPR in Article 9 has additional requirements for Special categories of personal data. Special Categories of personal data are “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
These Special Categories of personal data have extra safeguards around their processing also detailed in Article 9. Where Consent is the legal basis for processing special category personal data consent now becomes explicit consent (a signed form for example).
Children and Consent
Children come under special protection where consent is the legal basis, the digital age of consent cannot be lower than 13 years old and indeed in some countries such as the Irish Republic its 16 years old, where the child is younger than the respective digital age of consent the parent or guardian must give consent. Privacy notices must be transparent and children have the same rights around their personal data as adults.
It must be easy to withdraw consent
One of the most important aspects of the new legislation is that organizations must not make it difficult for data subjects to withdraw consent. The process must be simple – indeed, it is noted in the Regulations that “it shall be as easy to withdraw as to give consent”. Organizations must therefore take steps to make it easy to withdraw consent and to stop processing where the data subject withdraws consent. Furthermore, where consent is the legal basis before processing any personal data the data subject must be informed of his or her right to withdraw consent.
Before GDPR becomes a reality, the organisation must ensure that all past and current consents comply with these regulations. If it does not do this, the organization may be on the receiving end of a fine.
Every organization based in the European Union or processing personal data of people, or data subjects in GDPR terminology, located in the European Union needs to fully comply with GDPR. It is not optional.
New Consent from Existing Clients?
When the General Data Protection Regulation (GDPR) is introduced on 25 May 2018, an organisation may still be able to use the consent acquired from existing customers under previous data protection regulations, provided the organisation has a record that consent was given. In this case as the organisation has valid consent for a specific purpose it does not need to reconsent customers. Where the organisation has no record of previously given consent it does not have a verifiable consent to contact them even under the previous data protection acts so the very act of contacting these customers may be illegal. Where no record of valid consent is present pre the GDPR companies should focus on removing those customers from their databases and getting valid consent at future interactions and ensure it is granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give. Where a company or organisation has an existing contract with a customer it can continue to contact them about that contract however this is not equivalent to contacting them for direct marketing purposes.
The bar for consent is set higher under GDPR so separate for each different type of processing, unbundling consent from other terms and conditions and giving the data subject the possibility to withdraw the consent as easily as it was given. It should also be kept in mind that consent is only one legal basis and there may be a more appropriate legal basis for the personal data processing.
