In today’s society, people are inundated with statistics, news stories and articles regarding data protection and subsequent breaches. With businesses across the globe gearing up for the implementation of the European Nation’s General Data Protection Regulation (GDPR), more and more individuals responsible for controlling the data are educating themselves about how and when they can lawfully process personal information.
Processing can take many forms and relate to a wide array of operations. The GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” GDPR Article 4(2). As such, it’s evident that processing covers a broad range of activity and can occur at any point in time during a relationship with a data subject. The GDPR provides six lawful grounds for the processing of data, including consent. Although at first blush consent may seem like a relatively straightforward rationale for retaining personal information, controllers of personal data should get familiar with the conditions for consent to ensure it is a valid basis for processing.
Article 4(11) of the GDPR states that consent means any freely given, specific, informed and unambiguous indication that evidences the agreement to process personal data. This should be by means of a statement or clear affirmative action. The data subject should have a choice, and transparency is of the utmost importance. A data controller, when assessing whether or not consent was freely given, should take into account whether, among other things, the performance of a contract relies on the receipt of consent that isn’t necessary for the contract to be carried out. A “clear affirmative action” invalidates the use of pre-ticked opt-in boxes and silence as a justification for consent. Data controllers should take special care to obtain consent prior to the processing of the data, and if the reasoning that necessitates consent changes, new consent should be requested. Article 29 Data Protection Working Party Guidelines on Consent under Regulation 2016/679.
Article 7 of the GDPR addresses Conditions for Consent. Some key components include that in order for consent to be a valid basis for processing, the controller of the personal data should be able to demonstrate that the data subject agrees to the processing. If the consent is part of a written declaration that also addresses other matters, the request for consent must be clearly discernable. The request for consent should be clear and limited to what is necessary. The data subject can withdraw consent at any time, and the withdrawal process should be a simple one. GDPR Article 7(1-3).
Data controllers should take into consideration special conditions that apply to the consent of a minor, as well as situations that require what the GDPR deems “explicit consent.” This may include situations where the personal data includes information on religious or philosophical beliefs, political opinions, and genetic and/or biometric data. It’s also important to consider questions like, “how long is this consent valid for in the absence of withdrawal? Can we apply the consent indefinitely?” The timeframe consent is considered valid can be contingent upon the context of the consent and the evolution of processing operations, among other things.
Consent can be tricky in the context of the GDPR, and failure to adhere to the GDPR standards may result in substantial administrative fines. Prior to relying on consent as a valid basis for processing, data controllers should take a deep dive into the elements. It’s important to keep in mind that no matter which of the six grounds for lawfulness of processing the controller chooses, they must be confident in the applicability and be able to stand by their choice. Navigating the stormy waters of GDPR can be a daunting task, and education is key.