What Will ‘Consent’ Mean Under the GDPR?

“Under the GDPR the definition of consent is clearer and more rigorous…”

The current Data Protection Act (DPA) and the GDPR both state that every organisation that processes personal data must have a legal basis for doing so; ‘consent’ is just one choice. If consent is your chosen legal basis then you need to be aware of differences between the current DPA and the GDPR.  Under the GDPR the definition of consent is clearer and more rigorous in order to ensure a consistent approach across the EEA.

The definition of consent in Article 4 (11) of the GDPR is: ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’  Let’s look at some of the words and phrases in detail:

Freely given

“…data subjects must provide consent of their own free will and must never be misled…”

Current Data Protection guidance states that data subjects must provide consent of their own free will and must never be misled or somehow negatively impacted by refusing consent. The GDPR formalises this, stating the consent is not deemed as freely given when:

  • ‘the data subject has no genuine and free choice or is unable to refuse or withdraw consent without detriment’ (Recital 42).
  • ‘there is a clear imbalance between the data subject and the controller’ (Recital 43). This especially applies when the data controller is a public authority with power over the data subject.

Recital 43 says that consent is not deemed to be freely given if the provision of a service is conditional to the data subject agreeing to have their data processed in ways that are not necessary to that service. The reason is that the data subject has no choice but to agree to this unnecessary processing.  Recital 43 also says that consent is not freely given if separate consents are not obtained for different data processing operations.  ‘Bundled’ consents are usually invalid.

Specific

“A general consent to unspecified processing operations will normally be invalid.”

Consent must be specifically obtained from the data subject for each and every personal data processing operation. A general consent to unspecified processing operations will normally be invalid.  There are exceptions to this such as when data processing is for scientific research.

Informed

“…data subjects must be informed of their right to withdraw consent …”

The GDPR states that:

  • ‘the data subject should be aware at least of the identity of the controller and the intended purposes of the processing’ – Recital 42.
  • ‘data subjects must be informed of their right to withdraw consent at any time prior to giving consent’ – Article 7 (3)

Unambiguous…clear, affirmative action

“…pre-ticked boxes and silence do not constitute consent.”

Under the current DPA, consent must be unambiguous. The GDPR takes this further.  Consent requires a clear affirmative action – pre-ticked boxes and silence do not constitute consent.  Clear affirmative action could be obtained in writing which includes electronic forms, or it can be oral.  Obviously oral consent makes it more difficult to prove that consent has been obtained.  Online forms should be written in plain language so that there is no question that the data subject understands what they are agreeing to.  Where consent is included in terms and conditions then it must be presented so that it stands out from the rest of the document.

The right to withdraw

“Organisations must make it easy to withdraw consent…”

GDPR Article 7 (3) says that data subjects must be able to withdraw their consent at any time. They must be informed about their right to do that at the time of granting consent.  Organisations must make it easy to withdraw consent, therefore if your company relies on consent as their legal basis you need to make sure that this won’t pose considerable challenges.

‘Explicit’ consent

“…explicit or express consent is given in writing with a handwritten signature.”

Where the GDPR sets out the legal requirements for sensitive data it uses the term ‘explicit consent’ rather than just ‘consent’. Sensitive personal data is information about a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or criminal offences. The GDPR doesn’t define the difference between ‘explicit consent’ and ‘consent’. Therefore you could take the advice of the Article 29 Working Party in Opinion 15/2011 who consider that: ‘…explicit or express consent is given in writing with a handwritten signature.  For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data’.

How can my organisation prepare for changes to consent?

If you are relying on consent as the basis for lawful processing make sure that:

  • consent doesn’t rely on silence or pre-ticked boxes
  • consent is specific to each type of processing that you carry out
  • consent isn’t embedded within other documents like your terms and conditions, but stands out
  • the supply of your service isn’t on the condition of data subjects supplying consent for processing activities that are not necessary to your service
  • data subjects are clearly informed that they can withdraw consent at any time
  • methods for withdrawing consent are easy to use
  • separate consents are obtained for each processing operation
  • consent is not the legal basis for processing personal data when there is an imbalance between the data subject and data controller.

Final point: make sure that you are aware of all types of legal basis for processing data. Under the GDPR, using ‘consent’ as your legal basis for processing personal data is not always the easiest or best option.

For further advice and support on meeting the requirements of the GDPR, contact our lead auditors on 0844 826 6006 or email us at info@ndcmanagement.co.uk.

ISO 50001 audit tool

Share On: