Ensuring explicit consent by the individual is one of the key areas to take into account in the GDPR (your organization may face fines up to 20.000.000€ or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher). From a customer perspective, proper application of consent gives individuals autonomy and control over their data, resulting in more trust and reputation of the service provider.
Alas, with GDPR obtaining and maintaining consent is now significantly more difficult to achieve so we’ll look at what challenges it poses, the alternatives, when to use it and how to go about it.
On one hand, consent must be given like in “of free will, specific, informed and unambiguous.” In some cases, the entity’s power position makes it unfeasible to use consent (as in the employee/employer relationship that conditions the free will). On the other hand, the individual can trigger the right to be forgotten (which will have to be fulfilled unless there is a legal basis justifying the need for processing) or may even request deletion of their data because they are no longer needed.
Note that the initiative to request consent may constitute a violation of the right to privacy, as in the case of Honda in the United Kingdom (consent to request consent by email without having records of previous… consent).
Mechanisms for legal processing
For the above reasons, organizations should first determine the legality, under the RGPD, of the use of personal data. And then assess what the best mechanism to sustain legal processing. Of the six possible mechanisms, consent may not be the easiest to apply or the most correct. There are five other alternatives to consent, which may be more appropriate for your organization:
Processing is required:
i) In relation to a contract that the individual has accepted; or
ii) because the individual has asked that something is done so that he can accept a contract.
- Processing is required due to applicable legal obligation (except an obligation imposed by a contract).
- Processing is necessary to protect the “vital interests” of the individual. This condition applies only to life and death cases, such as when an individual’s medical history is made available to an emergency department at a hospital for treatment after a major road accident.
- Processing is necessary to administer justice or to perform statutory, governmental or other public functions.
- Processing is done according to the “legitimate interests” condition.
Of these alternatives, processing due to legal obligation is a practical approach, identifying existing legal basis that supports the processing needs of the organization is a good starting point. A concrete example, in the area of human resources, derives from the obligation to maintain information about the employee for social security. Just keep in mind that personal data should be limited to the minimum necessary for the processing for which it is intended.
Another alternative is the use “legitimate interests” to justify the processing of personal data, such as keeping the employee’s bank account to use for payment of wages.
When to use the consent mechanism?
- Consent is appropriate when:
- There is use of special categories of data (such as sensitive health data)
- Processing restriction (there is reason not to process and only store personal data – for example when the individual disputes the accuracy of their data)
- Automatic decision making (criterion should be transparent)
- Bank transfers (be careful when existing safeguards are insufficient)
Consent best practices
The GDPR requirements for consent are: being specific, granular, clear, prominent, optin, documented and easily withdrawn. From ICO (Information Commissioner’s Office) we’ve got the following guidance in the application of the consent mechanism:
- Separation: Consent requests must be separate from other terms and conditions. Consent cannot be a precondition for subscribing to a service unless it is required for the same service.
- Explicit subscription: Clear and positive action is required; Pre- filled boxes are not allowed.
- Granular: Each different form of processing must have its own means of registration.
- Assignment: It should be specific to all organizations, including other processors that will process the data.
- Easy to cancel: Provide clear means of canceling consent at any time.
- Relationship Balance: Obvious imbalances as employers/employees will result in forced consent, which is not acceptable.
- Documentation: Auditable consent records must be maintained.
For a simple list of support for the use of consent consult the document Consultation: GDPR consent guidance from ICO. In the next post, we will go through data protection by design, a way of addressing data protection risk at the right time.