Whenever I speak to anyone about the new data protection regulations they always ask, “as long as I have consent it’s all fine right?” The answer can, in fact, be no.
The “legal, fair and transparent2 principle of GDPR requires the identification of the correct reason (or legal basis of processing) for collecting and processing personal information and it is not always consent. Using a contract sets out the terms and conditions that business and customer (or society and member) agree to, but “agreement” and “consent” are different in this regulation.
Consent is something that has to be given freely by the individual and generally separate to the main agreement. The onus is on the organisation to ensure that consent is correctly registered, monitored and removed in line with the requests of the individual.
When Consent is Required
The most common question I get after I give them the information above is, “Well when do I need consent then?” These are the most common reasons:
- Sending Direct Marketing.
- Sharing personal data with others.
- Use of imagery.
Each time you rely on consent you need to make sure your request is very clear. It :
- Has to specify which individual process the consent will relate to.
- Should not use jargon, or legal terminology, unless it is absolutely necessary (hint – usually it isn’t).
- Cannot be detrimental to the individual should they refuse consent.
- Has to be monitorable.
- Be able to be revoked as easily as it taken.
Consent is the weakest reason to process data as it can be revoked at any time by the individual. Unless you can find an exception to their request you will have to stop processing personal data for that reason.
When Consent is Not Required
The easiest way to explain when consent is not required is to say that it is where there is a benefit to that individual, or where there is a benefit to the safety of others.
Practically, this can mean:
- In an emergency situation an organisation can collect information from an individual to call an ambulance. This is utilising what is known as a vital interest and benefits the health of an individual.
- Counsellors and health professionals can have a responsibility to safeguard an individual and can utilise what is known as legitimate interest to refer to other professionals.
- There are legal obligations for organisation to inform bodies, like HMRC, of income-based information relating to individuals.
The Most Common Exceptions
Consent will never be required where the is a definable process that has to happen in relation to an individual. This will usually relate to processes where local and central government bodies need to process data. Examples of these bodies are; hospitals, schools, police, courts, etc. This does not mean that they are free of the obligations of data protection regulations, but their reliance on consent is not valid for some processes.
Otherwise, the exceptions to requiring consent (other than some of the practical measures I have already explained) will relate to obligations, or shared processes, with already trusted organisations, like the post office, or again the police, hospitals, courts, etc.
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through firstname.lastname@example.org , or visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.