The GDPR and Consent
In a recent webinar, we looked at the topic of consent and the GDPR. We discussed best practices for addressing compliance with consent requirements, and in particular we considered the ways in which an accountability approach can embed compliance mechanisms throughout the process of consent management.
In today’s blog, we will highlight the most important takeaways from that webinar. At the end of the blog, you’ll also find the link to the webinar itself, where you can learn about this topic in greater detail.
The Foundation of Consent for Data Processing
Both the current and upcoming EU data protection laws, Directive 95/46/EC and the GDPR, contain six legal bases to process personal data. Consent is only one of them, so there are alternatives if consent is not available, which oftentimes could be preferable. Therefore, determining which grounds best suit your project is critical to the process of addressing consent under the GDPR.
The 6 legal grounds for processing are:
- Consent of the individual
- Legitimate interests of the data controller or third party
- Contract performance
- Compliance with legal obligations
- Protection of vital interests of a natural person (typically only covering serious illness and, life and death situations)
- Performance of a public task set out by law
The GDPR now clearly states that opt-out consent is no longer allowed. Consent must be:
- A clear affirmative act
- Freely given
Keep in mind that, based on your type of data processing and the applicable legal ground selected, you may need to obtain specific consent from the individual for each separate purpose. Additionally, for online consent, there are further requirements to satisfy the concept of consent, which are mainly aimed at providing relevant information to the data subject. Just to be clear, the consent we discuss in this blog does not yet cover the upcoming changed rules stemming from the new ePrivacy Regulation.
Using Consent as a Legal Basis
When using consent as a legal basis for data processing, organisations will need to perform a number of additional tasks. This includes:
- Demonstrating consent was legally obtained from the individual
- Keeping transactional records so that consent can be traced and verified
- Ensuring that consent is obtained using language the data subject is able to understand
- Ensuring terms and conditions are specific enough to meet the requirements
- Ensuring that the proper “age-related” protocol is followed for children and teens (this varies between countries in the EU between 13 and 16)
Accountability and Consent
In earlier blog posts, we’ve spoken a great deal about the concept of accountability as a key principle within the GDPR. When addressing the issue of consent, having thorough accountability mechanisms in place throughout your organisation can play an equally important role.
Simply obtaining valid consent is not the only critical step for many organisations to comply with the GDPR. You will need further insight to deal with consent in practice. For example, privacy statements need to be served to the individual before they provide consent. Simply having the privacy statement available somewhere on your website is not enough to meet the requirements.
Many elements required to obtain valid consent can be covered with appropriate accountability mechanisms. The only element that is not covered is the clear affirmative act of the data subject. The European data protection authorities have clearly stated that they expect consent to be fully documented. This requires additional records, both online and offline, linking back to the appropriate accountability mechanism that applied at the time consent was provided.
Taking the accountability approach to addressing consent not only allows you to meet the consent requirements and accountability obligations, but also creates a document trail, giving your organisation evidence for demonstrating compliance. This approach is best achieved through a three-step process:
Step One: Update your policies and procedures, and if necessary, create new ones that emphasize consent. Embed them into the operations, and then into your current processing.
Step Two: Take an accountability approach each time you conduct a Privacy Impact Assessment (PIA), or Data Protection Impact Assessment (DPIA, in case of high risk processing. This means applying your policies and procedures at a project level, which will also create evidence through documentation.
Step Three: Assess whether your organisation has effectively applied the policies and procedures. This requires that the business team members attest to their compliance throughout the process. To increase buy-in and participation in the attestation process, many organisations find it helpful to automate by introducing a software platform.
Introducing a Software Solution to Operationalize Consent
Implementing the use of a software solution is an excellent method to ensure that proper documentation surrounding consent is created at the project level and maintained over the long-term. When choosing a software solution, look for one that has a simple interface to the business. Avoid overly-complicated platforms that require additional, specialised training; the goal is to make the attestation process as simple and effective as possible. This enables the privacy officer to easily assess the progress of each of the business units, and therefore provide support and oversight for the business.
more information on consent under the GDPR, and to hear a real-time example of how one company has operationalized consent through a Universal Consent Platform, view our latest webinar by clicking on the following link: https://www.nymity.com/workshops-and-webinars/gdpr-webinar-series/consent-and-the-gdpr.aspx