GDPR and consent: what you need to know
You may have noticed recently that your inbox has been overflowing with eMails from companies asking you to opt-in to receive marketing communications.
These campaigns are an attempt to obtain consent ahead of the impending enforcement of the General Data Protection Regulation (GDPR) which becomes UK law on 25th May.
Amid the flurry of privacy notices, we’re going to take a closer look at the subject of consent and lawful processing under the GDPR. Previously, we’ve blogged about GDPR, its impact and how you can prepare. You can read those blogs here. Firstly, a quick recap…
What is the GDPR?
The GDPR replaces the Data Protection Directive 95/46/EC and is designed to enhance data privacy for all EU citizens.
The requirement to have a lawful basis in order to process personal data is not new. However, the GDPR places more emphasis on being accountable for, and transparent about, your lawful basis for processing.
With two weeks to go, a survey by the Institute of Directors (IoD) found just six in ten company directors feel their organisation is fully compliant GDPR regulations.
What is consent under the GDPR?
The Information Commissioner’s Office (ICO) state that the indication of a person’s consent must be:
- freely given
- unambiguous statement or clear affirmative action.
It bans soft opt-ins such as pre-ticked boxes. It also states consent should be separate from terms and conditions and should not generally be a precondition of signing up to a service.
Do you have to update a data subject’s consent?
No, not always. This is one of the great GDPR myths.
The GDPR does not explicitly require consent.
However, for processing to be lawful under the GDPR, you need to identify (and document) your lawful basis for the processing.
Consent is one of six lawful grounds listed in Article 6(1) and at least one of them must apply whenever you process personal data. If consent is difficult, you should consider using an alternative.
According to the ICO, the six lawful grounds are:
- Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Legal obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;
- Vital interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Public task: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- Legitimate interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
How to update a data subject’s consent?
Examples of a clear affirmative action, or opt-in, include:
- signing a consent statement on a paper form;
- ticking an opt-in box on paper or electronically;
- clicking an opt-in button or link online;
- selecting from equally prominent yes/no options;
- choosing technical settings or preference dashboard settings;
- responding to an email requesting consent; and
- answering yes to a clear oral consent request.
As previously mentioned, consent is one lawful basis for processing, but you have other options. For example, if you have a contractual relationship with your customers, Article 6.1 (b) would apply. Similarly, you could apply Article 6.1 (f) if you can identify through a legitimate interest’s assessment (LIA) the data subject (or you) have a legitimate commercial/individual/societal interest in processing personal data.
If you decide that you require consent, the ICO state that maintaining records electronically will benefit most organisations.
What changes do you need to make to your data capture forms?
The ICO state that you should review existing content mechanisms against the following new guidelines:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
How will GDPR affect clinical trials?
Under the GDPR, clinical trial data is considered more sensitive and falls under a “special data category” which warrants it more protection.
The collection and processing of clinical trials data (e.g. race/health/genetic) for scientific or research purposes is forbidden under the GDPR unless certain conditions are met. One such condition is that the data subject provides their explicit consent. Explicit consent means that the data subject must give an express statement of consent.
According to the Article 29 Data Protection Working Party (WP29), who provided interpretative assistance on the Regulation, a data subject may be able to issue the explicit consent by filling in an electronic form, by sending an email, by uploading a scanned document carrying the signature of the data subject, or by using an electronic signature.
Let us manage GDPR compliance for you
With the deadline approaching, ePC can help you get ready for GDPR with options for both paper and electronic forms.
Option 1 – paper consent form
A paper form can be designed in TeleForm for your data subjects to complete. Once returned, the form is scanned with image zones and choice fields captured and verified.
Option 2 – electronic consent form
Alternatively, an electronic form can be made available online for data subjects to complete.
A crucial tenet of GDPR is that you must keep clear records to demonstrate consent. In both the above scenarios, the data can be exported to common database types (Excel, Access, SPSS, Microsoft SQL, Oracle, CSV, XML etc.) or an electronic database system (e.g. clinical trials databases, CRM systems) via a powerful API.
Moreover, both options provide a clear audit trail with authorised users allowed to quickly review:
- what individuals consented to;
- what they were told;
- how they consented; and
- when they consented.
If you collect sensitive personal data and need support to achieve a GDPR compliant database, we can help. Please contact us today.
About the Author
Richard is the Marketing Manager at ePC where he is responsible for marketing, PR and ISO 9001.