GDPR & Consent – No Box Ticking Exercise
Following on from our previous article relating to the implementation of the General Data Protection Regulations (GDPR) in the UK, we are now focusing in on some of the fundamental changes due by May 2018.
One of the core principles of GDPR is giving individuals genuine choice and control over how (and whether) their personal data is processed. This has brought about a particularly important change in relation to processing personal data on the basis of consent, making the requirements for consent more difficult to achieve and prompting technical and procedural changes from organisations who process personal data.
In particular, organisations who use any sort of consent-by-default process when collecting personal data (such as pre-ticked opt-in boxes or requirements to opt-out of data processing) need to be looking at what changes would be necessary to ensure that the personal data is being collected with consent which is “freely given…by a statement or by a clear affirmative action”.
Further, in addition to the new requirements around consent, organisations will also need to turn their minds to the new right available to data subjects which permits the removal of that consent, requiring the associated personal data to be deleted. Given the sophistication and complexity of many organisations and how they use personal data, will it be straightforward to isolate and remove all personal data given by a subject on the basis of consent? Might the organisation instead be able to rely on any of the exemptions available?
GDPR raises the bar on what is required from organisations. Equally, be aware that there are a number of other available grounds for personal data to be processed that may be worth considering. For example, it is unlikely that an employer could argue that consent to process has been “freely given” by its employee, due to the imbalance of power in that relationship but it could rely on the processing being necessary for the performance of the employment contract.
In terms of changes needed on or before the May 2018 implementation date, there is no automatic requirement to re-confirm individuals’ consent to data processing, but organisations will have to make sure that such consent complies with the requirements of GDPR (and if not, seek consent or stop processing). Organisations should now be reviewing their data sets to determine the extent to which consent is relied on for processing personal data, and whether that consent is sufficient to meet the requirements of the GDPR.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.