What are GDPR’s Rules on Consent?
GDPR has relatively strict requirements to establish that sufficient consent has been given (in Article 7). In this article, we will go over the main principles.
Consent must be clear
Your request for consent should be clear, unambiguous and set out in plain language. It should be clearly distinguished from other matters, and data subjects should be given a separate opportunity to consent or refuse consent rather than it being, for example, buried as a clause in a contract. Where appropriate, separate consent should be requested for different processing operations (such as where they are for notably different purposes).
Ticking boxes, choosing settings or clearly indicating consent through statements or conduct will be fine. However, pre-ticked boxes, silence or inactivity cannot be taken as consent.
Consent must be informed
In order for consent to be informed, you must at the time of obtaining consent make sure that data subjects know at least the identity of the data controller (including any third-party data controllers) and the purpose(s) for which the data will be processed (e.g. sending marketing emails or undertaking market research).
Note that there is a general requirement to provide a broader range of information to data subjects when their data is collected or otherwise received, which applies whether or not you are relying on the consent ground. The items above are the ones specifically linked in the text of GDPR to consent being informed. We will look at the broader requirements in the next article.
Data subjects must also be told of their right to withdraw consent (see below).
Consent must be freely given
Consent is unlikely to be seen as freely given where there is a significant power imbalance between parties. GDPR specifically suggests that there is likely to be an imbalance between individuals and public authorities. Similarly, consent to an employer processing their employees’ data is unlikely to be considered to be freely given. As a result, it will be better for HR data to be processed under a different ground.
More generally, consent will not be free if the data subject is unable to refuse or withdraw consent without suffering detriment. This would appear to rule out, for example, incentive schemes for giving consent.
GDPR makes clear that consent is unlikely to be free if it is required as a condition of entering a contract. This means that to the extent that collecting and processing the personal data of customers really is vital (whether to performing the contract or to your other operations), it will be better to operate under a different ground.
Consent must be recorded
As with most measures under GDPR, you will need to record the steps you have taken and be able to demonstrate compliance. In practice, this will mean keeping details of exactly what consent has been given with your client records. It also means that you should be very wary of getting consent entirely verbally - instead, make sure that it is backed up in writing.
Consent for children
In Article 8, there are specific requirements for consent to be valid where a service is offered online to an individual under 16 years old (although EU countries may legislate to reduce that age to a minimum of 13). In these cases, consent must be given or authorized by the holder of parental responsibility over the child.
It is your responsibility to take “reasonable steps” to verify that this has happened, given the technology available. You will need to think about children who might use your services and decide the best way to ensure that they get permission before providing their consent.
Data subjects have a right to withdraw their consent at any time. They should be informed of this right before giving consent, and the withdrawal should be as easy as giving consent.
It is worth giving some thought to what you will need to do if consent is withdrawn. You will need to make a clear note on your client records, and also bring to a halt any processing in progress.
There are three situations in which GDPR states that consent must be “explicit” in order to justify processing. Two were mentioned in the previous article: in the case of special categories of data, and when the processing involves automated decision-making. The third is when the processing involves transfers of data to a country outside of the EU, or to an international organization.
It is unclear how far this goes beyond the normal consent requirements. What is clear is that the requirement to spell out what you will do with the data and to make clear that it is a free choice is heightened in these cases. The general recommendation appears to be to get this kind of consent in writing, with a handwritten signature.
If the requirements for consent appear onerous, always remember that the other lawful grounds are available instead. For some business models, you may not need to rely on consent at all.
By following the guidelines in this and the previous article, you can ensure that you have a lawful ground, and that your processing starts off lawful. However, this is not enough on its own — you will also need to show that the way you go on to process the data satisfies GDPR. That is what we will consider next.
Get all 10 articles in our series about GDPR in our e-book for free by clicking the link below: