"Consent" fit for the 21st century
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Confidence, Trust and Consent go hand-in-hand!
The Information Commissioner, Elizabeth Denham, said today at the ICO Data Protection Practitioners' Conference in Manchester that data protection is not about "merely being a technician, it is about putting the consumer first". The GDPR brings data protection into the 21st century by providing stronger protection to consumers and is an opportunity to "improve and set out data confidence in the UK". Currently, only 1 in 4 adults trust businesses with their private data – the ICO today confirmed that the GDPR aims to address this mistrust in data processing and give consumers control over their data. That said, data protection creates that very opportunity to deliver trusting business relationships. GDPR is "an opportunity."
"Higher Standard of Consent"
The definition of consent under the GDPR is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
The key elements of the consent definition remain the same as the previous Data Protection Directive: the consent must be freely given, specific, informed and there must be an indication signifying agreement by the data subject; however, the GDPR adds an additional layer by adding that the indication must be "unambiguous" and the consent given "by a statement or by a clear affirmative action". This means that businesses will no longer be able to rely on the opt-out box for consent, as the data subject must confirm their consent by clear affirmative action.
The GDPR has, in general, set a higher standard for consent. Consent to data processing offers individuals a genuine choice and control over how their data is used by organisations. Consent under the GDPR now requires an active opt-in by the individual rather than the previous passive consent by default or failure to opt out.
Some additional rules of what to take note are as follows:
- Consent to data processing must be separate from other terms and conditions. This way, the consent will stand out and be obvious to the individual.
- Consent must be capable of being withdrawn at any time by the individual with the same level of ease as how they gave their consent.
- Consent must be freely given and give the data subject a genuine choice as to which data is processed and how this is processed.
Alternatives to Consent?
Consent is not the only lawful basis for data processing and is not always appropriate. Consent should not be used as a lawful basis for data processing if the data controller would still proceed with the processing regardless of whether the data subject consents; where the consent is a precondition of the service; or where the data processor is in a position of power over the data subject; however you do need consent when no other lawful basis for data processing applies.
Children and Consent
The GDPR will also enforce stricter consent requirements for children. In the UK, children under 16 years old cannot consent to data processing (however, the UK government could lower this to 13 years old). Therefore, in these cases, you will have to provide effective age-verification systems to ensure that consent given is valid.
The Crystal Ball Question – How long does valid consent last?
There is no set time limit for consent. It will depend on the circumstances of the request for consent and the general nature of the data processing. You should review and refresh consent as and when appropriate. The ICO recommends refreshing consent every two years, however care should be taken in relation to different data processing purposes, and you may have to do this more frequently depending on your circumstances.
Why is this important for my business?
Consent, when done correctly, can enhance your businesses relationship with individuals and instil trust and good reputation. Consent, when done wrong, can lead to high levels of fines (which can be as high as 20 million euros or 4% of your total worldwide annual turnover, whichever is higher) as well as permanent damage to your reputation.
In order to ensure that your business is GDPR compliant, you should conduct a review of your consent policies and procedures to ensure these meet the new higher standards of the GDPR.
For guidance on how to ensure your business becomes compliant, look out for our next blog on consent under the GDPR and what it means for your business.
Read our previous blog: Consent: Getting it right under the new rules #GDPR
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts' team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.