The GDPR - Do we always need consent?
Earlier this week, our CEO ran a seminar in Manchester about the General Data Protection Regulation (GDPR) and what it means for businesses. Many questions at the event related to one specific thing – the need for consent to process data.
The GDPR sets a high standard for consent, which can often be difficult to meet. Whilst for many purposes, consent may be necessary it is important for businesses to remember that consent is not the only basis on which to process data. A critical part of GDPR readiness is considering if any other bases is applicable and documenting the decisions made. The Information Commissioner’s Office (ICO) offer some great guidance on consent and other basis for processing data, which we have summarised below.
You must determine the lawful basis for processing the data before you begin to process it, which should always be documented and rarely changed at a later date. By including the lawful basis for processing and the purposes of processing within a privacy notice, you are clearly communicating with data subjects (individuals) about the reason behind the why and how you will process their data. In cases where special category data (i.e. criminal convictions, biometrics etc.) you must identify the lawful basis for general processing and an additional condition/s for processing this particular type of data.
Knowing what data you collect, what you are using it for, how sensitive it is and what you REALLY need should help you minimise the data and be clear about your lawful basis. The bottom line is this, if you cannot define what your basis for processing personal data is, you shouldn’t have the data!
GDPR identifies six lawful bases for processing which are:
- Consent – This provides individuals with real control, and can be used to build customer relations and enhance your brand reputation. Evidence of consent must be kept, reviewed and refreshed when anything changes. Consent requires a positive opt-in, meaning that pre-checked boxes and other default methods of consent are not allowed! Making consent a prerequisite of a service should be avoided. Also, you must make clear to the individual what they are agreeing to by keeping consent requests separate from other terms and conditions, being specific, being clear and naming any third parties involved in the processing. Individuals must be able to withdraw their consent just as easily as they gave consent and!
- Contract – This can be used as the basis for processing if you have to process data to fulfil your contractual obligations or before entering into a contract i.e. provide a quote. Processing of the data must be necessary.
- Legal obligation – If you need to comply with a common law or statutory obligation, you may use this basis for data processing. The processing must be necessary and justifiable, with the ability to identify the legal obligation.
- Vital interests – This is likely to be used where data must be processed to save someone’s life. You cannot rely on this basis to process special category data if the individual is capable of giving consent, even if they refuse to provide consent. Processing of this data must be necessary and justifiable.
- Public Task – most relevant to public authorities, this lawful basis allows for the processing of personal data “in the exercise of official authority” or to perform a specific task in the public interest set out in law. Again, this should be in cases where data processing is necessary and should be justifiable.
- Legitimate interest – Legitimate interests can be your own commercial, individual or societal interests or those of third parties. This is the most flexible basis for data processing, which many consider a “catch all” but you cannot assume that it will always apply or be the most appropriate choice. When people’s data is used reasonably, with minimal impact to privacy or where there is a reasonable justification for processing this is most likely to be appropriate. Reliance on this basis means that you must take extra responsibility in considering and protecting the rights and interests of individuals. You need to: identify a legitimate interest, show that processing of data is necessary and then balance this against the individual’s rights and freedoms. You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests. Details of legitimate interests as a basis for processing must be included in your privacy notice.
As it is clear to see, consent is not always required to process individual data but at all times it is necessary to document the reason for processing and be able to justify it. By taking individual rights and freedoms into account and effectively communicating this with your existing and prospective customers, you can seriously enhance your brand reputation whilst doing the right thing.