Does your business need ‘consent’ under GDPR?

agree or disagree

EU privacy and data protection laws have been around for a while, affording a high degree of privacy protection for EU citizens. However, the General Data Protection Regulation took the existing laws to a new level, and is arguably the strictest privacy law in the world. Highly significant is the extra-territorial application of GDPR. Not restricted within the EU, it applies also to non-EU companies.

In this article, we discuss:

  • Does your business needs to get consent
  • What is required for valid consent

Does GDPR apply to my business?

Whether located inside or outside the EU, GDPR applies to any company that is:

  • Offering goods or services (including ‘information society services’) to anyone within the EU (and includes not-for-profit organisations)
  • Monitoring the behaviour of people within the EU (and any follow-on behavioural analysis or profiling – the purpose of many cookies)
  • Every time a company ‘processes’ (i.e. does something – anything – with) ‘personal data’ (information that can identify, or help to identify, an individual) in any form or any way, it must do so in compliance with GDPR. Companies of all kinds and size routinely process personal data daily.

Do we need to get consent?

Consent is one of the 6 lawful bases (GDPR Article 6) for processing personal information, the other 5 (necessary) bases are:

  • For a contract you have with the individual
  • To comply with the law
  • To protect someone’s life
  • To perform a public interest task or official duty which is allowed by law
    for your, or a third party’s, legitimate interests, unless there is an overriding reason to protect the personal data

If your business does not qualify under one of the other 5 bases, you must get valid consent before you process personal information. Alternatively, if your purpose does qualify under one of the other 5 bases, you should be relying on that basis, and not seeking consent. It is often difficult to determine whether or not all or even just some of your processing is allowed under the other bases.

What is consent under GDPR?

Most privacy laws allows for consent to take 2 general forms: implied and express.
Crucially, GDPR does not allow implied consent. consent under GDPR means only express consent.

GDPR Article 4 Para. 11 defines consent as:

“any freely given, specific, informed and unambiguous indication … by a clear affirmative action, signified agreement to the processing”that means you must ask for an individual’s consent in a way that allows them to:

  • Clearly understand the question
  • Clearly understand the implications of giving their consent
  • Make a genuine choice to accept or refuse

What is required for us to get valid consent?

Consent under GDPR requires all 5 of these parts:

  • Freely given – it cannot be a condition of using a service, and the person needs the free choice to refuse or withdraw consent without any detriment
  • Specific – the person must be asked to consent to individual types of data processing, in a way that is clearly distinguishable from anything else
  • Informed – the person must be told what they’re being asked to agree to in a way they are able to understand, so using plain language with no technical jargon or legalese
  • Unambiguous – positive confirmation is required, silence, pre-ticked boxes or inactivity are not acceptable. GDPR consent is Opt-In only.
  • Can be revoked – consent does not have a specific shelf life, so in theory a person’s consent is indefinite (although it might become invalid). However, a data subject has the right to withdraw consent at any time, they must be told this and it should be as easy for them to withdraw consent as it was for you to obtain it.

The consent request must specifically include:

  • The data controller’s identity (you or any third party relying on the consent). You cannot buy-in ‘consented data’ unless you were specifically identified.
  • Each separate processing purpose
  • Each type of processing operation or activity
  • The right to withdraw consent at any time

So for every situation where your business is processing personal data, unless you qualify under one of the 5 other lawful bases, you must obtain valid consent before you begin the processing, or you will be in breach of your obligations under the GDPR, which may expose you to fines and penalties.

What form does a request for consent take?

You can ask for consent using a number of positive opt-in forms such as:
physically signing a statement on a form;

  • Opt-in boxes (paper or electronic
  • Opt-in buttons, or agree/disagree options
  • Specifying user or account preferences or settings
  • Responding to an email
  • Giving verbal consent when asked
  • Optional information voluntarily given for a particular purpose

How long does my consent last for?

There is no specific time limit given for how long consent lasts for, but:

  • If an individual withdraws their consent, it ceases to be valid and you should stop processing as soon as possible
  • If the purpose for the processing changes sufficiently, you will need to get new consent for the different purpose
  • If the purpose is completed, the basis for the consent will end.

In this day and age, it is important that business revisit their privacy and data protection policies and procedures to ensure that they are fit for purpose and compliant. This area of law and its interpretation continues to evolve and the requirements are complex. For more information, guidance, and some helpful checklists see ico.org.uk/consent.

Here at Devant we are helping many clients review their GDPR compliance and policies, including Privacy Policies, Cookie Policies, and Data Processing Agreements. If your business could use our help, please don’t hesitate to get in touch.

Richard Sugden,
Principal Consultant.