Consent for Data Protection - A Business Perspective

Phil Brown, Norfolk's Data Protection Mardler

Consent for Data Protection – A Business Perspective

Consent is one of the 6 lawful means of processing personal data and was, in my opinion, one of the most abused but since the enforcement of the GDPR, things are improving.

How consent is defined

Consent of the ‘data subject’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (GDPR Recital 32).

For you this means obtaining consent must be done lawfully, fairly and transparently. If done properly, the consenter will have no reason to be surprised or shocked by the way you have processed his or her personal data. Unfortunately, if you look in the regulation you won’t find detailed instructions on how to do it, just a variety of approaches. Also, it explains that having pre-ticked boxes indicating consent or assuming silence and/or inactivity can be taken as consent, are now illegal methods.

Approaches to obtaining consent

One approach is to use an on-line form with a prepared statement against which is an unchecked tick box or a signature line directly underneath the statement if a paper version is used. The wording must be clear and it’s also good practice to have easy access to a link/ reference to your privacy policy. 

The statement could read ‘I give my consent to (insert business name) to process my personal data for the purposes of (insert the purpose) until (further notice/ a specific time). If the box does not get checked or the signature is not provided, then you don’t have consent. It can be a verbal agreement as well, but it’s more difficult to prove later. Either way, once you have it, keep a record because you may need this as evidence later.

The significance of the purpose

“Personal data shall be collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;” (GDPR Article 5). This means you must think hard about the purpose(s) for which you want consent. You can state multiple purposes, but these must be agreed to separately - one tick box per purpose.

How long does consent last

The GDPR does not specify a period of time for which consent remains valid. You must balance your needs against the nature of the personal data being processed and the principle of keeping it for no longer than is necessary. In other words, you have to consider the context of the activity and meet people’s reasonable expectations. 

Withdrawal of consent

When asking for consent, you must point out the right to withdraw consent at any time and make it clear how this is done. If someone withdraws their consent to receive newsletters, for example, and you continue to send them, then you are in breach of the law.

Keeping track

Time spent keeping track of who gave consent, how and when, is never wasted. It’s easy to create big distribution lists and even easier to make big mistakes. Having simple procedures to maintain their accuracy is essential not only to avoid antagonising those who have withdrawn their consent but also to avoid breaking the law. 

Getting it right from the outset

Consent is a perfectly legitimate means of exchanging personal data which could form part of your company’s privacy framework. However, the mechanism of obtaining consent has to be understood and respected to ensure it is managed lawfully and in the best interests of your customers/clients. Getting it right from the outset may take time and effort, but it pays dividends later.

Share this

Gold Patrons