The third in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on the alternatives to consent when data processing.
There are six legal bases for data processing under the GDPR (General Data Protection Regulation) and consent is one of them. Consent may not always be the most appropriate legal basis for data processing and it is important to be aware of the other legal bases available.
Advantage of Consent
Consent as a legal basis for data processing has many benefits for your business. It gives individuals choice about how you use their data and ensures that you are accountable and transparent when it comes to data processing. This can assist in building trust with customers and enhancing your reputation. Consent is appropriate when you want to give your customers choice and control over how you use their data.
When is consent not appropriate?
Consent is not always appropriate for data processing and will not be if you cannot offer customers a genuine choice over how you use their data. There are three circumstances where you should not use consent as a basis for data processing:
- You would process the data on a different basis if consent were refused. Seeking consent in this circumstance is unfair and misleading as you are giving the individual the illusion of having a choice; however you would still process the data regardless of their consent.
- You have requested consent as a precondition of accessing services – this may not even count as valid consent in some circumstances, as it is not freely given.
- You are in a position of power over the individual – those who depend on you or your services may not give free and valid consent due to their fear of adverse consequences.
Alternatives to consent
There are five alternatives to consent which can be used as bases for data processing:
- You need to process someone's personal data to perform a contract you have with them; for example, where you have a contract with an individual to supply goods or services.
- Where you need to process an individual's data because your organisation has to comply with a legal obligation under UK or EU law.
- If necessary to protect someone's life.
- You need to process data in order to carry out an official function or task which is in the public interest and you have a basis for proceeding under UK law. This will likely apply to public bodies.
- Where you are a private sector organisation without consent, and you have a genuine and legitimate interest (which includes commercial benefit), so long as this is not outweighed by harm to an individual's rights (the "legitimate interest" basis).
What does this mean in practice? The draft ICO Guidance gives some helpful guidance on this, and any business seeking to rely on the legitimate interest basis should take note. The principle of accountability will apply, just as it does with consent, and businesses will need to ensure that they have been fair and transparent with the data subject and be able to justify processing on this basis. Importantly, a business will need to demonstrate why the processing was necessary to carry out your business function. Being able to show that it was proportionate and there was no less intrusive alternative available will be critical.
Choosing the correct basis
Where your data processing falls within one of the five other legal bases described above, consent is not appropriate as, if consent is not given by the data subject, you could still process the data under another legal basis. Therefore, consent is only an appropriate legal basis for data processing where you have no other legal basis for processing but you want to give the data subject choice and control over how their data is processed and managed.
Read Part 1:
Consent: Getting it right under the new rules #GDPR – Part 1:
What is Consent?
Read Part 2: Consent: Getting it right under the new rules #GDPR – Part 2: What does this mean for your business?
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts' team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.
If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.