The landmark legislation has changed the way organisations approach data privacy and put consumers back in the driver’s seat, giving them a greater control over how their data is stored and processed.
When the GDPR came into effect on the 25 May 2018, it signalled the biggest shake up of data privacy laws in 20 years.
The legislation was introduced to reflect our increasingly digitalised world and recognise the rights of individuals with regards to the use of their personal data.
Pretty much every service we use, whether it’s a social media platform, retailer or bank, will collect, analyse and store our personal data. Under the GDPR, organisations are now duty bound to demonstrate they are handling this data lawfully, fairly and in a transparent manner.
The EU defines ‘Personal Data’ as any information that can be used to directly or indirectly identify an individual (data subject). This can include everything from a name, email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.
Processing personal data is generally prohibited unless it’s been permitted under applicable law or the data subject has consented to the processing. However, consent is just one of six legitimate purposes that are required for all processing of personal data.
Valid GDPR Consent
Under the GDPR, ‘lawful processing’ is only possible when:
- There is consent from the data subject
- Processing is necessary for the performance of a contract with the data subject
- Processing is necessary to comply with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where interests are overridden by the interests, rights or freedoms of the data subject
What is consent?
Consent is a way of building trust between a user and an organisation. As defined by the GDPR: “Consent is a freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or a clear affirmative action signifies agreement to the processing of data relating to him or her.”
Consent is defined as being fairly narrow from a GDPR perspective. For instance, if a user supplies consent for their data to be used for the purpose of a cyber fraud detection and their data is later used for marketing purposes without their knowledge or choice, then that is a violation of the personal privacy of the data subject.
Also consent forms cannot be embedded in length terms of service agreements. To ensure transparency, consent forms must be separate, specific and explicit in nature.
What Makes Consent Valid?
When consent is required to process personal data, the following conditions must be met in order for that consent to be valid:
1. Consent needs to be freely given
For consent to be freely given, the individual must be able to choose whether or not they want their data processed. If the individual has no choice in the processing if this data, then consent is not freely given and will be deemed invalid. The individual should also be able to refuse consent without any negative repercussions and have the ability to withdraw their consent at any time. Consent should be unbundled from other terms and conditions where possible.
2. Consent needs to be specific
Consent should be specific to the actual purposes for which the data will be used. As specified by the GDPR: “obtaining valid consent can only be done after the data controller has determined a specific, explicit and legitimate purpose for the intended processing activity.” When the processing has multiple purposes, consent must only be given for the purposes based on consent.
3. Consent needs to be informed
For consent to be considered valid, the individual needs to know:
- The identity of the organisation processing the data
- The purposes for which the data is being processed
- The type of data that will be processed
- The option to withdraw consent
4. Consent needs to be unambiguous
Consent should be given by a clear affirmative act so that the wishes of the individual are clear. The request for consent needs be in clear and plain language, intelligible and easily accessible. This could be by a written or oral statement. Silence, pre-ticked boxes or inactivity do not constitute valid consent.
What are the rules on children’s consent?
Parental consent is generally required for those under 16, although the ages required for consent vary by EU participating country. In addition, reasonable efforts need to be made to verify the identity of the person providing the consent on behalf of the child.
The process of consent may be stricter under the GDPR, but it provides organisations with the opportunity to develop greater levels of trust and transparency with their customers.
MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.
DISCLAIMER: The content and opinions within this blog are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances, the Data Protection Act, or any other current or future legislation. MetaCompliance shall accept no responsibility for any errors, omissions or misleading statements, or for any loss which may arise from reliance on materials contained within this blog.