How has consent changed under the GDPR?
The GDPR does not fundamentally alter the principles of consent regarding the processing of personal data. But it sets a higher bar for valid consent, emphasising the importance of explicit opt-in which is freely given and the right to withdraw consent at any time. It has also narrowed the legal justification of processing personal data without consent, making valid consent even more crucial.
When is consent necessary?
Consent is not always needed to process personal data; there are five other lawful bases:
- Contract - if there is a contract with the individual (eg business or employment) which necessitates data processing
- Compliance with legal obligation - if it's legally necessary to process the data
- Vital interests - if data needs to be processed to protect the life of the data subject (who is incapable of providing consent) or someone else
- Public tasks - if the processing is necessary to perform an official task (ie by a public authority)
- Legitimate interests - this requires balancing the 'legitimate interests' of the controller against the interests and fundamental rights of the data subject
In the absence of meeting one of these other lawful bases, it is necessary to gain explicit consent of the data subject before processing their personal data.
What constitutes valid consent?
There are certain conditions that must be met to ensure that consent is valid:
- Freely given - an individual must be given a genuine choice when providing consent and it should generally be unbundled from other terms and conditions (eg access to a service should not be conditional upon consent being given)
- Specific and informed - this means that data subjects should be provided with information as to the identity of the controller(s), the specific purposes, types of processing, as well as being informed of their right to withdraw consent at any time
- Explicit and unambiguous - the data subject must clearly express their consent (eg by actively ticking a box which confirms they are giving consent - pre-ticked boxes are insufficient)
- Under 13s - children under the age of 13 cannot provide consent and it is, therefore, necessary to obtain consent from their parents
How should records on consent be managed?
Businesses should record each instance of consent provided and manage these records appropriately. The following should be recorded:
- Identity of data subject providing their consent
- Time and date of consent being given
- Method of consent (eg whether this was given online or in-person)
Consent should be reviewed at regular intervals to determine whether it is still sufficient for the current purposes of data processing. It is also important to provide individuals with a straightforward method of withdrawing their consent at any time - and records should be updated to reflect any withdrawal of consent.
Can I contact previous customers to ask for consent?
As a general rule, if consent to data processing had been properly obtained prior to the GDPR coming into force, ie it had met the standard required under the GDPR - or was not necessary due to a legitimate interest (eg they were an existing customer) - there is no need to obtain consent (again). If consent had been obtained in a way that was not compatible with the GDPR (eg with the use of pre-filled tick boxes) then it would be necessary to regain consent. However, if a customer had opted out of email communication, then the act of contacting them to gain consent (again) will potentially contravene the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
For more information on consent under the GDPR, see the ICO website.