Do you need consent at all?
Whether you actually need consent from an individual to store and process their data is one of the most misunderstood parts of the GDPR. There are many articles out there stating that you'll need 'consent for everything' after May 2018, but this is simply wrong.
Consent isn't an aim of the GDPR, the goals of the GDPR are to protect the rights of the individual and ensure their data is processed in line with a series of principles. Consent is simply one of the mechanisms by which data processing becomes lawful, but is by no means the only one.
You do not need consent to perform the data processing necessary to fulfil the contract you have with the individual
Lawful processing of data; consent is only one way to achieve it
This is the full list of the ways in which data processing becomes lawful, as defined in Article 6:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The takeaway from the above is that consent is not the only thing that allows you to legitimately process an individual's data. We asked the ICO about this specifically , with the aid of an example:
A business selling products to individuals would not need consent to keep the personal data needed for raising invoices, or to process those invoices, as that would be 'necessary for the performance of a contract' (from Article 6(1)(b)).
Likewise they would not need consent to retain that information in their accounts database for the statutory period as that would be necessary for "compliance with a legal obligation".
However, if you wanted to then use the customer's purchasing history to profile their spending patterns, then that might require consent, as that profiling is not required to fulfil the individual's primary contract with you (the provision of goods/services).
Recital 47 adds another couple of specific cases that will likely be of great interest to many businesses, namely:
The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
The need for consent for direct marketing has sparked a lot of discussion, but the above certainly seems to suggest that direct marketing can be seen as a legitimate activity that therefore does not require separate consent. Recital 71 seems to support that conclusion too:
Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
We're going to ask the ICO to confirm this and we'll update this section once we have an answer.
Lawful processing of special personal data
Processing of special data such as race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life, sexual orientation is prohibited, except if the individual has given specific consent, or in certain other specific circumstances.
There is no option for implied consent for the use of special personal data based on your contract with the individual, you will almost always require specific consent to gather this information
If you need consent to use personal data or special personal data, how do you get it correctly?
The GDPR defines consent as follows:
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
That's pretty clear, but the Recitals and the ICO clarify this even further. These are some important points to note on consent:
- The individual must understand what they are consenting to
- Where you are processing their data in multiple ways, ensure you have consents for each of those processing activities that require consent. This will almost certainly mean you need separate consents for each data processing activity, as freely given consent (see below) requires the ability to provide assent on an process-by-process basis.
- Consent requires an opt-in, not an opt-out. For example, you cannot pre-tick an assent box, the individual has to do it themselves
- Consent cannot be inferred from the individual not doing something
- Consent must be separate from your terms and conditions
- If you are processing personal data in a way that's outside what would be considered necessary to perform your contract with the individual, you will need to ask for explicit consent to continue those activities or else stop that processing for individuals from whom you do not have consent.
- It has to be as easy for individuals to withdraw consent as to give it
- You must have a record of who has consented, exactly what they consented to and when
- Consent doesn't have to be ticking a box on a website, it could be a written or oral statement, selecting preference settings on a website "or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data" (Recital 32)
The concept of freely given consent requires a bit of explanation too:
- Provision of a service cannot be withheld if the activity being consented to is not required to deliver that service - so, say, you couldn't refuse to accept orders from people who didn't want to be profiled. (Recital 43) )
- Consent is not considered freely given if the consent for one activity was bundled up with another. In other words, you cannot say "tick here to give consent to us processing your order and to receive direct marketing from third parties".
Remember though, you don't always need consent, so while consent requires careful consideration, it will not necessarily apply to you, or to all areas of your business.