How has consent changed under the GDPR?
The GDPR does not fundamentally alter the principles of consent regarding the processing (eg storing) of personal data (eg names and addresses). However, it sets a higher bar for valid consent, emphasising the importance of explicit opt-in which is freely given and the right to withdraw consent at any time. It has also narrowed the legal justification for processing personal data without consent, making valid consent even more crucial.
When is consent necessary?
Consent is not always needed to process personal data; there are 5 other lawful bases:
contract - if there is a contract with the individual (eg business or employment) that necessitates data processing
compliance with legal obligation - if it's legally necessary to process the data
vital interests - if data needs to be processed to protect the life of the data subject (who is incapable of providing consent) or someone else
public tasks - if the processing is necessary to perform an official task (ie by a public authority)
legitimate interests - this requires balancing the 'legitimate interests' of the data controller (ie the oraganisation that on the purposes for and means of processing personal data) against the interests and fundamental rights of the data subject using a Legitimate interest assessment
In the absence of meeting one of these other lawful bases, it is necessary to gain explicit consent of the data subject before processing their personal data.
For more information about the other grounds for processing personal data, read Processing personal data.
What constitutes valid consent?
There are certain conditions that must be met to ensure that consent is valid:
freely given - an individual must be given a genuine choice when providing consent and it should generally be unbundled from other terms and conditions (eg access to a service should not be conditional upon consent being given)
specific and informed - this means that data subjects should be provided with information as to the identity of the controller(s), the specific purposes, types of processing, as well as being informed of their right to withdraw consent at any time
explicit and unambiguous - the data subject must clearly express their consent (eg by actively ticking a box which confirms they are giving consent - pre-ticked boxes are insufficient)
under 13s - children under the age of 13 cannot provide consent and it is, therefore, necessary to obtain consent from their parents
For more information, see the guidance on valid consent provided by the Information Commissioner’s Office (ICO).
How should records on consent be managed?
Businesses should record each instance of consent provided and manage these records appropriately. The following should be recorded:
the identity of the data subject providing their consent
the time and date of consent being given
the method of consent (eg whether this was given online or in-person)
Consent should be reviewed at regular intervals to determine whether it is still sufficient for the current purposes of data processing. It is also important to provide individuals with a straightforward method of withdrawing their consent at any time - and records should be updated to reflect any withdrawal of consent.
Can I contact previous customers to ask for consent?
As a general rule, if consent to data processing had been properly obtained prior to the GDPR coming into force (ie it had met the standard required under the GDPR) or was not necessary due to a legitimate interest (eg they were an existing customer) there is no need to obtain consent (again). If consent had been obtained in a way that was not compatible with the GDPR (eg with the use of pre-filled tick boxes) then it would be necessary to regain consent. However, if a customer had opted out of email communication, then the act of contacting them to regain consent will potentially contravene the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
It is a good idea to familiarise yourself with the laws on marketing and customer communications before contacting customers. For more information, read Marketing and the law and Considerations for email marketing.
For more information on consent under the GDPR, see the ICO website. If you have any questions or concerns about data protection and data processing, do not hesitate to Ask a lawyer or use our GDPR compliance service.
For more information on the GDPR and data protection in general, read Complying with the GDPR, Data protection, Processing personal data, General Data Protection Regulation (GDPR) FAQs and How to make a business GDPR-compliant checklist.