To comply with the “lawfulness” principle of UK GDPR, controllers must have valid grounds, or a “lawful basis” for the processing of personal data. Consent is one of the six bases for processing a data subject’s personal data.
The six bases for processing personal data |
|---|
Under Article 6 of the UK GDPR, the six legal bases, at a high level are:
|
A high standard needs to be met for consent to be valid under UK GDPR. Consent must be a freely given, specific, informed and unambiguous indication of the data subject’s wishes, which the data subject, by a clear statement or clear affirmative action signifies agreement to the processing of their personal data. In order to comply with these requirements, amongst other considerations, those relying on consent as a basis for processing should ensure:
- They can demonstrate that a data subject has consented to the processing of their personal data – accurate records are required.
- There is a positive opt-in or other positive action required. Pre-ticked boxes or default methods of consent should not be used.
- It is clear what is being consented to, specifically - blanket or vague consent covering lots of diverse matters is not sufficient.
- That the data subject is made aware of who the controller is and of any third-party controllers who will rely on the consent.
- That the performance of a contract is not conditional on consent to process personal data that is not necessary for the performance of that contract.
- The request for consent is not muddled up with other terms and conditions.
- A person can refuse consent without detriment.
- It is easy for the data subject to withdraw consent at any time (as easy it was to give consent) without being penalised, and that they are provided the details on how to do so.
- Consents are always kept under review and not treated as a “one-off”.
Where special categories of personal data are being processed, one of nine further special conditions set out in Article 9 UK GDPR must be complied with. One of these is a requirement to obtain explicit consent to the processing of the information. The Information Commissioner’s Office (the ICO) has listed what the extra requirements for obtaining explicit consent are likely to be: (a) the consent must be confirmed in a clear statement, which may be oral or written, (b) the nature of the special category data must be specified, and (c) it should be separate from any other consents that the person is seeking. We note that point (a) might be achieved by obtaining a signed statement of consent or some other explicit mechanism such as sending an email which expressly provides the consent.
Consent may not be the most suitable lawful basis for processing. In particular, note that a data subject can withdraw its consent at any time, making future processing difficult. ICO guidance states that when a data subject withdraws consent, the organisation must stop processing and cannot swap to a different basis for processing that information, even if that basis would have suitable in the first place.
For more information or advice on data protection compliance, please contact Beverley Flynn or any member of the commercial and technology team.
Beverley Flynn
Rachel Wright