#AtoZofGDPR - C is for Consent
Consent. Consent. Consent. That was the message sent out by the millions in the weeks leading up to the 25thMay 2018. Everyone received a plethora of emails declaring that “Due to the GDPR, we cannot continue to contact you after 25thMay unless you re-consent….” This wave of emails were driven by a basic lack of understanding around the GDPR, previous Data Protection legislation and how they relate to the ePrivacy directive (PECR).
We will discuss the Lawful Bases for processing personal data later in this series but, what should be made clear is that consent is not the only lawful basis for processing data. Nor is it always required.
The GDPR sets a high bar for consent. Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
So, you must give individuals real choice and control. Genuine consent should put individuals in charge, build trust and encourage engagement. This is your opportunity to enhance your reputation!
GDPR is about “allowing society benefit from the good in technology but ensuring we are protected from the harms of excessive and unfair processing”
“Together, we can put Ireland on the map as a country that implements and upholds the highest standards of protection of personal information.”
Consent requires a positive opt-in, so you can no longer use pre checked boxes. Assumed consent is also a big no no.
You must also make it easy for individuals to remove or withdraw their consent. How many times have you had to click ‘unsubscribe’ before you actually stop receiving those annoying communications?
You should keep evidence of consent – who consented, when did they consent, how was consent received, and what you told people they were consenting to.
Freely given?
GDPR Recital 42:
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
GDPR Recital 43:
In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
GDPR Article 7:
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Therefore, for consent to be considered freely given, it must be truly optional for the data subject. If data controllers withhold or offer a degraded version of service for subjects who refuse or later withdraw consent, such consent would not be valid.
So…. Make your consent request concise, transparent and prominent. Separate the consent mechanism from other terms and conditions. Include the name of your organisation. Include why you want the data and what you will do with the data. Finally, make it clear that the data subject can withdraw consent AT ANY TIME and finally, make it easy for the data subject to withdraw their consent.