Welcome to the third instalment in our mini-series of blog posts on the General Data Protection Regulation.
In our last GDPR blog we explained that the DPA and GDPR apply when personal data is being processed by an organisation, and that one of several grounds must be satisfied for the processing to comply with the legislation.
One of the most frequently applied grounds for processing personal data is consent.
Consent and the GDPR
The GDPR will place greater requirements around consent, making the process more onerous for businesses but providing individuals with greater assurance that their data will not be used unless they want it to be.
Silence, pre-ticked boxes on websites or any other form of passive acceptance will not constitute consent under the GDPR.
Consent under the GDPR means offering individuals genuine choice and control.
Does your business process personal data?
If so, you need to start taking steps (if you haven’t already) to ensure your collection of personal data is compliant with the GDPR. Databases which contain data that has not been obtained in compliance with the GDPR may be unusable from 25 May 2018.
How should you seek consent?
Requests for consent must be easily comprehensible, accessible and in clear and plain language. They should be:
- conveyed in a language likely to be understood by the relevant data subject; and
- clearly identifiable within the surrounding contract or agreement.
The data subject must be made aware of the name of your organisation and the identity of any other organisations that will process the personal data.The purposes for processing the information must be clear. Consent only applies to the purpose for which it has been obtained. For example, if you obtain consent to use personal data for a research project you must obtain further, separate consent if you wish to use it for marketing purposes.
Consent to processing will not be valid where performance of a contract is contingent upon the giving of consent (although you may be able to rely on another ground such as legitimate interest – please see our second mini-blog for more information.
The right to revoke
Data subjects must be given the ability to revoke their consent at any time. Revocation must be as easy for the data subject as giving consent. Any data processing that occurs before consent is revoked will still be valid.
Keep a record
Organisations should keep records of consent where it is used as justification for processing and review existing consent mechanisms to ensure that they comply with the requirements for consent highlighted above.
Documentation in respect of consent should record:
- the manner in which consent was obtained;
- the purposes for processing personal data;
- descriptions of the categories of data subjects and of personal data; and
- if, how and when consent has subsequently been revoked.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.