“Under the GDPR the definition of consent is clearer and more rigorous…”
The current Data Protection Act (DPA) and the GDPR both state that every organisation that processes personal data must have a legal basis for doing so; ‘consent’ is just one choice. If consent is your chosen legal basis then you need to be aware of differences between the current DPA and the GDPR. Under the GDPR the definition of consent is clearer and more rigorous in order to ensure a consistent approach across the EEA.
The definition of consent in Article 4 (11) of the GDPR is: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ Let’s look at some of the words and phrases in detail:
“…data subjects must provide consent of their own free will and must never be misled…”
Current Data Protection guidance states that data subjects must provide consent of their own free will and must never be misled or somehow negatively impacted by refusing consent. The GDPR formalises this, stating the consent is not deemed as freely given when:
Recital 43 says that consent is not deemed to be freely given if the provision of a service is conditional to the data subject agreeing to have their data processed in ways that are not necessary to that service. The reason is that the data subject has no choice but to agree to this unnecessary processing. Recital 43 also says that consent is not freely given if separate consents are not obtained for different data processing operations. ‘Bundled’ consents are usually invalid.
“A general consent to unspecified processing operations will normally be invalid.”
Consent must be specifically obtained from the data subject for each and every personal data processing operation. A general consent to unspecified processing operations will normally be invalid. There are exceptions to this such as when data processing is for scientific research.
“…data subjects must be informed of their right to withdraw consent …”
“…pre-ticked boxes and silence do not constitute consent.”
Under the current DPA, consent must be unambiguous. The GDPR takes this further. Consent requires a clear affirmative action – pre-ticked boxes and silence do not constitute consent. Clear affirmative action could be obtained in writing which includes electronic forms, or it can be oral. Obviously oral consent makes it more difficult to prove that consent has been obtained. Online forms should be written in plain language so that there is no question that the data subject understands what they are agreeing to. Where consent is included in terms and conditions then it must be presented so that it stands out from the rest of the document.
“Organisations must make it easy to withdraw consent…”
GDPR Article 7 (3) says that data subjects must be able to withdraw their consent at any time. They must be informed about their right to do that at the time of granting consent. Organisations must make it easy to withdraw consent, therefore if your company relies on consent as their legal basis you need to make sure that this won’t pose considerable challenges.
“…explicit or express consent is given in writing with a handwritten signature.”
Where the GDPR sets out the legal requirements for sensitive data it uses the term ‘explicit consent’ rather than just ‘consent’. Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or criminal offences. The GDPR doesn’t define the difference between ‘explicit consent’ and ‘consent’. Therefore you could take the advice of the Article 29 Working Party in Opinion 15/2011 who consider that: ‘…explicit or express consent is given in writing with a handwritten signature. For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data’.
Final point: make sure that you are aware of all types of legal basis for processing data. Under the GDPR, using ‘consent’ as your legal basis for processing personal data is not always the easiest or best option.