General Data Protection Regulation Update – Consent
Any Game of Thrones enthusiast will be aware that "Winter is Coming" is the motto of House Stark. The words are intended to advocate caution and vigilance against the perils that winter brings. Those who watched the highly anticipated first episode of the new series of Game of Thrones will be aware that winter has finally arrived in Westeros, and so perhaps House Stark should adopt a new motto - "The GDPR is Coming" perhaps.
We recently ran two seminars to provide organisations with an overview of the GDPR, which will replace the Data Protection Act 1998 ("the DPA") on 25 May 2018. Data protection is often seen (whether rightly or wrongly) as quite a dry subject and so I wasn't holding my breath for a sell-out, especially in the middle of holiday season. The response to the seminars was, however, overwhelming to the extent that we had to ask Hull Truck Theatre to help us out in order to cater for more people (and what a fantastic job they did!). Organisations certainly seem to be opening their eyes and ears more to the challenges they face to ensure compliance with data protection legislation.
A number of the questions asked at the seminars focused on the issue of consent and how the position with regard to consent will change under the GDPR. I thought it might be useful to run through some of the key points on this issue.
To recap, under the DPA personal data must be processed fairly and lawfully. In order to demonstrate compliance with this principle, an organisation has to issue a fair processing notice and satisfy one of the fair processing conditions set out in the DPA (e.g. that the data subject has given consent to that processing, or that processing is necessary to perform a contract with the data subject or to comply with a legal obligation of the data controller). This will remain the case under the GDPR.
Consent is often used by data controllers as the main mechanism for demonstrating compliance with the fair and lawful processing principle. However, consent is not always the best condition to rely on. Consent may be withdrawn by the data subject, or the reasons for which consent was originally sought may change. Furthermore, the data subject may not have any real choice over whether they give consent or may feel compelled to give consent (for example if an employer requests consent from an employee and the employee does not want to appear difficult).
The consent requirements under the GDPR are more onerous than under the DPA and this means that organisations will need to consider (where consent is used as the lawful basis for processing personal data) whether consent is appropriate or whether an alternative lawful basis should be relied on for processing that personal data.
The GDPR defines consent as "any freely given, specific, informed and unambiguous indication of the data subjects wishes by which he, or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". This means that pre-ticked boxes, silence from the data subject or 'opt-out' boxes will no longer suffice.
Consent is one of the few areas in respect of the GDPR where the ICO has issued further guidance. Some of the headline points from the ICO's guidance are summarised below:
- Consent must be separate from other terms and conditions.
- There should be options to consent separately to different types of processing wherever appropriate (for example, if an organisation sends out a quarterly newsletter and also shares information with third parties so that those third parties can market their own products and services, the organisation should obtain separate consents for each activity).
- Consent must be verifiable - this means that organisation relying on consent will need to maintain records demonstrating what a data subject has consented to, what they were told and when and how they consented.
- Public authorities, employers and organisations in a position of power should avoid relying solely on consent as there is an imbalance in the relationship and so consent may not be considered freely given.
- If an organisation asks for consent but, in reality, will process personal data on a different lawful basis if consent is not provided then this would be misleading and unfair.
- Organisations need consent when no other lawful basis applies.
To complicate matters a little further, there are additional rules relating to unsolicited marketing by electronic means which are set out in the Privacy and Electronic Communications Regulations 2003 ("PECR"). PECR requires organisations to obtain a data subject's consent in certain circumstances in order to send unsolicited marketing materials to that data subject. The consent requirements in PECR are not, however, as onerous as those set out in the GDPR. PECR is due to be replaced by the E-Privacy Regulations 2017 ("the Privacy Regulations") at the same time that the DPA is replaced by the GDPR (i.e. 25 May 2018) and the Privacy Regulations should complement the GDPR. The text of the Privacy Regulations is still being agreed however, and it is unclear whether it will be finalised in time.
In summary then, consent should not be used as the default mechanism for demonstrating compliance with the fair and lawful processing principle. Organisations should review the circumstances where consent is being used as the lawful basis for processing personal data and consider whether it is appropriate or whether an alternative legal basis should be relied upon. This is particularly important in respect of public authorities, employers and organisations in a position of power where consent may not be seen as being "freely given".
Where consent is the appropriate legal basis for processing personal data (for example, where consent is required by law, where there is no other legal basis for processing personal data, or where it provides the data subject with a genuine choice) organisations should review the consent mechanisms that they have in place and establish whether they comply with the GDPR requirements. If the consent the organisation has obtained does not meet the stricter GDPR requirements then it will not be valid consent once the GDPR takes effect and steps should be taken now to obtain consent which does meet those requirements.
When the GDPR arrives, it does not bring with it White Walkers or the Night King, but it does substantially increase the level of fines which the ICO can issue for a breach. Failure to comply with the consent requirements is seen as a "Tier 2" breach. This means that maximum fine per breach is set out in the higher, more serious category which is EUR20 million or (if higher) 4% of annual worldwide turnover of the organisation. Organisations should therefore take steps now to prepare for these changes: The GDPR is coming…
This article is for general guidance only. It provides useful information in a concise form. Action should not be taken without obtaining specific legal advice.