Posted by Kate Benefer, Partner
The GDPR and consent
In the second blog in our series on the General Data Protection Regulation (GDPR) we explore the issue of consent and the GDPR.
Consent is the easiest way to process personal data, isn’t it?
Not quite. For many years, under the Data Protection Act 1998, businesses have relied on an individual’s consent to lawfully process data, as it is often considered the “easiest” way to process personal data.
Under the GDPR, consent is one of the lawful purposes for processing data and the GDPR sets a high standard for consent to be valid. It’s not as simple as asking somebody to complete a tick box to provide their consent.
Under the GDPR, which goes further than the Data Protection Act, consent must be:
1. Freely given – the individual should have a genuine choice to decide whether to provide consent for their data to be processed. The consent must also be unbundled from other terms and conditions so it is clearly brought to the attention of the individual. Consent is unlikely to be regarded as freely given if:
- there is no genuine free choice or the individual is unable to refuse or withdraw consent easily without suffering a detriment
- the conditions of a contract are conditional to the processing of personal data
- there is a clear imbalance between the data processer and the individual (i.e. the relationship between employee and employer.
2. Specific and informed – the consent provided must specifically cover the following:
- the data controller’s identity
- the purposes of processing the data
- the processing activities
- the right to withdraw consent at any time: it is recommended that you provide details of how to do so.
This means that if consent is required for a number of different purposes then consent must be obtained for each individual process or activity.
3. Unambiguous (given by a statement or clear affirmative action) – there needs to be a clear indication so that there is no doubt that the individual provides their consent to their data being processed in a particular way. The individual must provide their consent by some positive action (i.e. signing a consent form or ticking a box). This means that pre-ticked consent boxes will no longer be valid.
What do the changes to consent mean for businesses and HR?
Businesses need to review the personal data that they hold and consider the lawful basis upon which they are currently processing that data. It’s clear that the GDPR will significantly impact upon direct marketing, as the only lawful basis to process data in this instance is based upon an individual’s consent.
If a business is processing data on the basis of consent, it will need to consider:
- whether the current consent obtained meets the requirements of the GDPR. If not, then a new, up-to-date GDPR-compliant consent, to process an individual’s data, will need to be obtained
- the need to implement a process in respect of how to evidence that they have obtained consent from the individual
- an easy way in which they will provide for individuals to withdraw consent and how the business will deal with these requests
- the appropriate time for which consent can remain valid.
The key is to demonstrate that the issues have been considered and there is method behind the decision in case this needs to be justified at a later stage.
Relying on an individual’s consent in an employment context will be the most difficult option, as there is an unequal bargaining position between an employee and an employer, meaning that consent is rarely freely given. Furthermore, as employees have the right to withdraw consent at any time, this can leave employers in a difficult position.
This means that employers will need to rely on another lawful basis to process the data. The other lawful bases for processing data include the following:
- to perform a contract to which a person is a party
- to comply with a legal obligation
- if it is necessary to protect someone’s life
- if the data is needed to carry out official functions or a task in the public interest
- for the legitimate interests of the data controller.
Employers should start to review the data they hold on their staff now so that thought can be given to the lawful basis they are relying on. If the only basis for having the data is consent, employers will need to ensure that the consent meets the new requirements, and this may mean going back to employees to obtain their express consent.
What happens when consent is not given?
If consent is not provided, and there is no other lawful basis for processing the data, then the individual’s data can no longer be processed.
How is Royds Withy King dealing with the issue of consent?
At Royds Withy King, we have established a GDPR task force drawn from members of our business support teams to ensure that our systems and processes are compliant with the GDPR when it comes into force on 25 May 2018.
In terms of getting our CRM system (where we hold all our client, contact and prospect data) compliant we will be sending a series of mailings in the new year, asking our contacts if they would like to ‘opt in’ to our marketing services and asking for their preferences as to topic. This will ensure that anyone we want to direct market to in the future has given us their explicit consent. From a marketer’s point of view, it also means we will be sending out much more targeted and relevant mailings to people who have opted in, so our response rates/engagement levels should be much higher. In future mailings we will continue to give individuals the option to withdraw consent. We will also maintain a central record of consent to enable us to evidence that we have complied with the Regulation.
We will continue our countdown to ‘GDPR day’ over the next few months. Next month, we’ll shine the spotlight on the issues around data retention and how businesses should deal with this issue.
For more information on the GDPR and how it might affect your business, please contact Kate Benefer:
01865 792 300 Email us
Employment & HR
It pays to employ the right employment solicitor