1. What is Consent?
For the purposes of The General Data Protection Regulations (GDPR) consent means offering data subjects genuine choice and control over how the Company uses their personal data.
When consent is used properly it helps build trust and enhance the Company’s reputation. Handling personal data badly can erode trust in the Company and damage our reputation. Data subjects won’t want to engage with the Company if they think they cannot trust the Company with their data; do things with it that they don’t understand, want or expect; or if we make it difficult for them to control how it is used or shared.
The GDPR has made a number of changes to the basis of ‘consent’, and while the changes are small the impact is significant.
Consent is defined in the GDPR as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her…"
2. Is consent needed?
Under the GDPR you need a ‘lawful basis’ to process personal data. A lawful basis means there is a lawful ground for processing data subjects’ personal data. There are six lawful bases in total. The Company has an obligation to identify and document a ‘lawful basis’ for the processing of data subjects’ data. They are:
6 (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the Company is subject;
- Processing is necessary in order to protect the vital interests of a data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3. When must you have consent?
You will need data subject’s consent to process their personal data when no other lawful basis or exemption applies.
4. Do you always need consent?
No, it should be remembered that it is not mandatory to obtain data subjects’ consent to process their personal data under the GDPR.
If the Company relies on consent then staff should also be aware that this will also affect data subjects’ rights. Data subjects will also have the right to withdraw consent, and will generally have stronger rights – including for example, the right to erasure (also known as ‘the right to be forgotten’).
If a data subject withdraws consent and exercises his/her right to erasure (for example, requesting that the Companys delete all personal data held about that data subject) then this could prove very problematic for the Company in trying to provide its goods/services (delete as appropriate) to that data subject.
5. When is consent inappropriate?
If for any reason the Company cannot offer its’ data subjects a genuine choice of whether to consent to the processing or not, then using consent as a lawful basis will be inappropriate, as it presents data subjects’ with a false choice. This may be the case if, for example:
- The Company would still process the data on a different lawful basis if consent were refused or withdrawn;
- The Company asks for ‘consent’ to the processing of their data as a precondition of a data subject accessing a services; or
- If there is an imbalance of power between the parties, i.e. the Company and its data subjects. Public authorities and other Companys that are in a position of power over individuals should avoid relying on consent, and should instead look for another basis for processing, such as ‘performance of a public task’.
6. What is an exemption?
An exemption restricts the rights of data subjects, and the obligations of the Company for particular types of data processing (see below). These exemptions are broadly similar to the Data Protection Act 1998 and are considered necessary.
The following are some examples of exemptions that could apply to the Companys work. The processing is required because of:
- National security matters;
- Defence matters;
- Public security matters;
- The prevention, investigation, detection or prosecution of criminal offences;
- immigration purposes (new under GDPR);
- Child abuse investigations (new under GDPR); and
- Other important public interest, in particular economic or financial interest, including budgetary and taxation matters, public health and security.
Essentially this means that the Company can process data in respect of these ‘exempt’ categories and in doing so they do not have to comply with certain parts of the GDPR.
Each EU country can decide their own exemptions, and the UK/Ireland (delete as appropriate) will determine a full list of exemptions in readiness for GDPR implementation in May 2018.
7. If consent is the only appropriate lawful ground for processing and there is no exemption available, then what are the requirements?
The GDPR sets out various conditions that must be satisfied for valid consent. These are set out in Article 7 of the GDPR, which states consent must be:
Freely given, specific, informed - Consent must be freely given, specific, informed, and there must be an indication signifying agreement. This means being transparent with our data subjects, not trying to force consent and informing them of the reasons for the processing. They must be able to make an informed decision. A vague or blanket consent is not permitted.
Distinguishable and in a clear plain language – Where consent is given in a written document which also concerns other matters, the consent form should be kept separate, clear, plain and concise. Language should be simplified further when seeking young people’s consent.
Unbundled - Consent requests must be separate from other terms and conditions and specific. Consent should not be a precondition of signing up to a service unless necessary for that service.
Active opt-in - Use un-ticked ‘opt-in’ boxes or similar active opt-in methods. You may not rely on silence, inactivity, pre-ticked boxes or your general terms and conditions.
The GDPR does not specifically ban ‘opt-out’ boxes but they are essentially the same as pre-ticked boxes, which are banned. Do not use either!
Granular – The Company must provide separate consents for different types of processing wherever appropriate.
Named – Any consent must contain details of the Company and all third parties who will be relying on consent. Simple categories of third-party Companys will not be acceptable under the GDPR. For example, the Company will not be able to say to the data subject that the information “may be shared with external third parties working with or on behalf of the Company”. All Companys with whom the data will be shared with should be named.
Documented – the Company must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. You must be able to verify consent so keep detailed notes of – who, where, what, where and how.
Easy to withdraw – The Company must tell data subjects that they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. Details of the right to withdraw consent must also be contained in the Companys’ privacy notices and consent requests.
If consent is the lawful basis upon which you rely on to process the data then the consent must be given before the processing starts! Any data processing that has taken place before consent has been obtained is unlawful, as you have no legal ground in place before commencing the processing.
8. Explicit Consent
Just as consent is a lawful condition for processing personal data, ‘explicit consent’ is lawful for processing ‘special categories’ personal data (personal and sensitive). The special categories of personal data include:
- Racial or ethnic origin data;
- Political opinions;
- Religious and philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person; and
- Sex life and sexual orientation.
Consent for processing this type of personal data must be very clear, and specific. The Data subject must give ‘explicit’ consent.
9. How long does consent last?
The GDPR does not set a specific time limit for consent. How long the consent lasts will depend on the purpose for which the consent was received. In England, the Information Commissioners Office (ICO) has suggested that consent should be reviewed at least every two years; however staff will need to consider the scope of the original consent and the data subjects’ expectations.
You will also need to review any active consent on file in readiness for the GDPR implementation in May 2018, to ensure that your consent is compliant with the GDPR.
10. What are the rules on capacity to consent?
The GDPR does not contain specific provisions on capacity to consent and the general understanding is that you can consider adult data subjects have the capacity to consent unless they have reason to believe the contrary.
The situation with the Company is however different. (some/many/all of the Companys’ data subjects are vulnerable and may lack capacity to consent - (delete as appropriate or remove sentence if not relevant)). Staff should be very careful when considering the consent of the elderly and vulnerable in the community.
It may be that the Company(s) staff do have reason to believe that someone lacks the capacity to understand the consequences of consenting and so cannot give informed consent. If so, another individual with the legal right to make decisions on their behalf (e.g. under a Power of Attorney) can give consent.
11. What are the rules on children’s consent?
The Data Protection Act 1998 did not contain any specific restrictions on processing children’s data, and rules on children’s ability to consent have until now be drawn from the courts and case law.
The GDPR does mention protecting children several times in the regulations; however the term “child” is not defined by the GDPR. What the regulations do say is that children are “vulnerable natural persons” and that processing children’s data is an activity that may result in risk “of varying likelihood and severity”.
The GDPR makes specific reference to children’s consent in relation to ‘information society services’ (services requested and delivered over the internet, i.e. social media, Facebook, twitter etc.…). If the Company offer these types of online services directly to children (other than preventive or counselling services) then the Company should treat any child over the age of 16/13 years of age as being able to consent themselves unless there is evidence to the contrary. (The age at which parental consent is required is not yet confirmed by Parliament. Delete as appropriate when correct age is known).
The Company therefore does not need parental consent if the child is over the age of 16/13; however the Company must obtain parental consent for children under the age 16/13.
If the Company chooses to rely on children’s consent, they will need to implement age-verification measures, and make ‘reasonable efforts’ to verify parental responsibility for those under the relevant age.
12. What if a data subject refuses or withdraws consent?
If a data subject refuses or withdraws consent, the data protection officer/data protection lead (delete as appropriate) should be informed immediately, and any processing stopped as soon as possible. In some cases it will be possible to stop immediately, particularly in an online automated environment. However, in other cases the Company may be able to justify a short delay while you process the withdrawal.
If a data subject withdraws consent then any processing up until the point of withdrawal will be legal and permitted as long as can show you had a legal basis. If you were relying on consent of the data subject, but had not yet received that consent before processing of the data subjects personal data then this is illegal, as a the time of the processing you have no lawful basis in place.
13. Can the Company carry on using existing Data Protection Act 1998 consents?
The Company is not required to automatically ‘repaper’ or refresh all existing consents in preparation for the GDPR if the existing consent in question meets the GDPR conditions above. If the active consent does not meet the GDPR standard then you will need to obtain a fresh GDPR-compliant consent or identify a different lawful basis for your processing.
You should also consider putting in place compliance mechanisms for data subjects to withdraw their consent easily.
14. What are the consequences for getting consent wrong?
The EU and the ICO treat consent seriously, and place great importance of getting consent right. This is reflected in the possible fine for breaching consent – up to €20 million or 4% of gross annual turnover.
There is no room for error when dealing with consent under the GDPR, and you should speak to your Line Manager or data protection officer/data protection lead (delete as appropriate) immediately if you are in doubt.
We all have a responsibility as members of staff within the Company to ensure that any processing of personal data is done so in line with the GDPR. Failure to do so could result in the Company incurring a significant fine.
The Company has a designated data protection lead who can provide advice and assistance on the GDPR as well as other associated legislation. The individual concerned is/department is ???? and they can be contacted as follows:
Company telephone number -
17. The Information Commissioner
The Information Commissioner is the governing body for Data Protection in the UK. If you would like further advice on the GDPR you can contact the Information Commissioner's Office at the address below:
Information Commissioner's Office
Tel: 01625 545 745
20 – Appendix 1
Questions to ask yourself
1. Am I processing a data subjects’ personal data? Or sensitive personal data?
2. Have I identified and documented a lawful ground for processing the personal data?
3. Am I intending to rely on consent as a ground for processing a data subject’s personal data? Or explicit consent for processing sensitive personal data?
4. Have I considered alternative grounds for processing the data? Or are there any exemptions that could apply?
5. Is the consent request written in clear unambiguous terms? Has the consent been freely given and ‘explicit’ if processing sensitive personal data?
6. Did I use pre-ticked opt-in boxes in the past? (If so you will have to change these).
7. Will the data subject suffer I they do not consent? (If so could this be considered an imbalance of power and consent may not be considered as freely given)
8. Have I kept a clear and up to date log of when consent obtained?
9. Has the data subject been given the option to withdraw consent?
10. If the data subject been given the option to withdraw consent, how can they can they request it?
11. How will the Company act upon the request to withdraw consent?
12. What are the consequences of a data subject withdrawing their consent?
13. Have I used consent as a basis for processing personal data before 25 May 2018? Am I still relying on that previous consent to process a data subjects’ personal data? (If so you will need to review the consent on file to ensure that it complies with the GDPR which comes into force in May 2018).