GDPR – How Not To Screw Up Consent?
The General Data Protection Regulation, or GDPR, replaces the Data Protection Directive (“Directive”), which has been in effect since 1995. The GDPR became law in April 2016, but organizations were given a two-year grace period to comply. The effective date for compliance is on May 25, 2018. The GDPR enables all EU nations to have a single set of rules that apply to all organizations that process personal data of EU citizens. The underlying idea is that every EU citizen has a fundamental right to privacy. To that effect, the GDPR has promulgated the concept of data subject’s consent which provides normal users with choices and empowers them to control how their personal data is used. Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data, such as opting-in.
The GDPR requires organizations to have a lawful basis for each processing activity that requires the use of personal data. The GDPR allows processing of personal data under one of the following six legal grounds:
- Consent is provided by the data subject for one or more specific purposes.
- Performance of a contract relating to the data subject.
- Compliance with the controller’s legal obligations.
- Protection of the vital interests of the data subject or natural person.
- Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests of the controller or third party unless such interests are overridden by the data subject’s interests, fundamental rights, and freedoms.
Consent is just one of six legitimate purposes for processing personal data and it should only be relied upon if no other lawful basis for processing qualifies because the individual can choose to deny or withdraw consent at any time. Furthermore, the controller carries the burden of obtaining valid consent and appropriately managing consent which itself can be a monumental task. Therefore, organizations should consider whether consent is the appropriate legal basis for the processing activity or whether another legal basis may be more appropriate.
Important Aspects of Consent:
- Consent is freely given when it is truly optional for the data subject.
- A clear affirmative action is a positive indication of agreement to the processing of personal data such as ticking a box and opting in. It is not silence, inaction or pre-ticked boxes.
- Explicit consent is required for processing certain types of personal data such as racial or ethnic origin, political opinions, and religious or philosophical beliefs.
- Consent is not conditional upon performance of a contract or service.
- Consent should not be bundled in with Terms & Conditions.
- Consent may not be needed where the organization is in a power of position over the data subject or the organization would still process the data under a different legal basis.
- If data is shared with third parties then they must be specifically named.
- Consent to a range of marketing-related purpose is invalid.
- Disclose the name of the organization and any third parties who will rely on the consent.
- Inform data subjects of their right to withdraw consent at any time.
- Consent must be from a person of age or authorized by a parent or guardian.
- Specify why and for what purpose the personal data is needed.
- Keep a record such as a log of when, why and how consent was obtained from the individual.
- Review consent data on a regular basis to make sure the processing and purposes for the personal data have not changed.
- Provide separate options so that consent can be given for different types of processing.
- Obtain consent at appropriate intervals.
- Make it easy for individuals to control how their personal data is used or shared.
- Make it simple to withdraw consent.
- Promptly process withdrawals of consent.
- Do not penalize individuals who choose to withdraw consent.
Remember, inappropriate consent can destroy trust and damage your organization’s reputation. Individuals need to be able to trust that their personal data is not being used for things they did not consent to or that they do not understand, request, or envision. Do not make it difficult for individuals to control how their personal data is being used or shared. Invalid or inappropriate consent can subject you to substantial fines under the GDPR as well as civil claims relating to data privacy violations.
Server General offers a range of services to enable organizations to comply with the GDPR. Contact us if you are looking for strategic advice in regards to data subject’s consent, have a business need to transfer personal data across geographical boundaries or are looking to encrypt personal data stored in a database/file server. You can either send an email to firstname.lastname@example.org or fill out the “Contact Us” form.
Disclaimer: This is not legal advice for your organization to use in complying with the GDPR. It is simply our interpretation of the law. This information is not the same as legal advice. You should consult an attorney for advice when applying the law to your specific situation. You may not rely on this post as legal advice, nor as a recommendation of any particular legal understanding.