Whenever I speak to anyone about the new data protection regulations they always ask, “as long as I have consent it’s all fine right?”   The answer can, in fact, be no.

The “legal, fair and transparent2 principle of GDPR requires the identification of the correct reason (or legal basis of processing) for collecting and processing personal information and it is not always consent.  Using a contract sets out the terms and conditions that business and customer (or society and member) agree to, but “agreement” and “consent” are different in this regulation.

Consent is something that has to be given freely by the individual and generally separate to the main agreement.  The onus is on the organisation to ensure that consent is correctly registered, monitored and removed in line with the requests of the individual.

When Consent is Required

The most common question I get after I give them the information above is, “Well when do I need consent then?”  These are the most common reasons:

Each time you rely on consent you need to make sure your request is very clear.  It :

Consent is the weakest reason to process data as it can be revoked at any time by the individual.  Unless you can find an exception to their request you will have to stop processing personal data for that reason.

When Consent is Not Required

The easiest way to explain when consent is not required is to say that it is where there is a benefit to that individual, or where there is a benefit to the safety of others.

Practically, this can mean:

The Most Common Exceptions

Consent will never be required where the is a definable process that has to happen in relation to an individual.   This will usually relate to processes where local and central government bodies need to process data.  Examples of these bodies are; hospitals, schools, police, courts, etc.  This does not mean that they are free of the obligations of data protection regulations, but their reliance on consent is not valid for some processes.

Otherwise, the exceptions to requiring consent (other than some of the practical measures I have already explained) will relate to obligations, or shared processes, with already trusted organisations, like the post office, or again the police, hospitals, courts, etc.

There is so much more information available, some of it very detailed.  Please look through the other blogs and see if the information you want is provided.

Related Articles:

If not, we would be pleased to answer your enquiry through enquiries@eyebray.com , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.

Leave a Reply

Your email address will not be published. Required fields are marked *