Technology has significantly changed the way we communicate and how we do business every day.
If your business is processing personal data, it must have lawful grounds for doing so. The UK General Data Protection Regulations (UK GDPR) defines people’s legal rights and obligations to organisations when processing personal data; for example, all processing must be fair and lawful.
There are six available lawful grounds for processing. When considering the most appropriate, it will depend on the intended use of the data and the relationship with the person (known as the data subject). One of the possible grounds for processing is consent.
When is consent required under GDPR?
If there is no other lawful reason to process personal data, you’ll need to obtain consent from the data subject.
You must have the consent before you begin any processing activities. The lawful reasons for processing personal data apart from consent are:
- It’s necessary for the performance of a contract
- The controller must comply with a legal obligation
- The vital interests of the data subject or another natural person are at stake
- It’s necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller
- It’s necessary for the legitimate interests pursued by the controller or a third party. As exception when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data protection (mainly where the data subject is a child)
What is considered UK GDPR-compliant consent?
Article 4 of the UK GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
For consent to be valid, the data subject must have given their clear express consent to your organisation for their personal data to be processed for a specific purpose.
Article 7 of the UK GDPR states that to gain valid consent:
- The data controller (i.e. the person making decisions about how and why data should be processed) must have a record of the consent for personal data to be used
- Information regarding written consent should be distinct and clear from other matters
- Data subjects should be told they have the right to withdraw their consent
- It must be clear that consent is freely given if a contractual agreement is conditional on that consent.
‘Freely given’ in this context means that consent is given based on a genuine choice and isn’t freely given if evidence shows that the data subject had no choice but to agree to the use of their personal data.
Consent may also be deemed invalid if:
- It is unclear if a data subject gave consent
- The data subject was not aware they gave consent
- There are no records showing a data subject gave consent
- Consent was required as a precondition of a service, but the processing isn’t necessary for that service.
The GDPR also refers to ‘specific and informed’ consent, meaning that the data subject has the right to:
- Know the identity of the person making decisions about the use of their information (i.e. the data controller and any third-party controllers who will rely on the consent given)
- Consent to distinct reasons for collecting the data – this means that if the organisation collecting data is using it for several reasons, consent must be given for each reason
Is verbal consent ok for GDPR?
The UK GDPR is clear that consent requires clear affirmative action, and Recital 32 sets out additional guidance on this.
Clear affirmative action means that someone must take deliberate and specific action to opt-in or agree to the processing, and other methods like signing a consent statement and an oral confirmation.
What is explicit consent?
Explicit consent isn’t defined in the UK GDPR, but it isn’t likely to be very different from the usual high standard of consent.
All consent must involve a specific, informed and unambiguous indication of the individual’s wishes. The key difference is likely that ‘explicit’ consent must be affirmed in a clear written or oral statement.
Is consent the only legal ground for processing personal data?
Under the previous legislation (The Data Protection Act 1998), consent was the most commonly relied-on basis for processing.
However, under the GDPR, there has been a shift change in the consent mechanism, and it may be that consent isn’t the most appropriate basis for future processing.
Organisations should always consider whether another legal ground, for example, legitimate interest, is more suitable.
How to ask for GDPR consent?
If you conclude that consent is the most appropriate basis for processing (for example, to send marketing communications), this decision must be recorded, and the following checklist should be observed:
- Don’t use pre-ticked boxes, opt-out boxes, or another default setting when obtaining consent
- Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing (for example, separate consent to receive information by email than by SMS message)
- Make sure that the request for consent is unambiguous
- Keep the request for consent prominent concise, and easy to understand
- Keep the consent opt-in separate from other terms and conditions (it must be freely given)
- Ensure that the individual can refuse consent without receiving a reduced service (for example, still access some areas of a website without a login)
- Keep records to evidence consent – who consented, when, how, and what they were told
- Make it easy for people to withdraw consent at any time they choose - consider using preference management tools
What information must I provide to obtain valid UK GDPR consent?
When your business is seeking consent to carry out some sort of processing activity (such as adding to a marketing database), the data subject must be given clear information about their consent's specific nature and scope.
In particular, the following information should be given at or before the data is collected (for example, in a published Privacy Policy or consent statement):
- The name of your organisation
- The name of any third-party controllers who will rely on the consent
- What information is being collected
- Why do you want the information
- What will you do with it
- That individual can withdraw consent at any time
How long does GDPR consent last?
Although the UK GDPR doesn’t set a specific time limit for consent, the ICO states that consent is “likely to degrade over time”. If you’re relying on consent, you should keep data subjects’ consents under review and, by time to time, look at whether the consent remains valid.
This will depend on the scope of the original consent and the individual’s expectation at the time consent was given.
You may need to request new consent from time to time to justify continued reliance. Consent for GDPR can be opt-out, so if someone withdraws consent, you must stop processing personal data as soon as circumstances allow.
Suppose it is necessary to continue to process an individual’s personal data, and they have withdrawn consent. In that case, you may need to consider using one of the other lawful basis for processing, for example, legitimate interest or legal obligation.
Can you market without consent under the GDPR?
Organisations must not send marketing texts or emails to individuals without their specific prior consent. The company must stop sending marketing communications promoting their products or services, including persistent and unwanted telephone calls, fax, email marketing or other remote media to any person who objects or opts out of receiving them.
What happens if I breach UK GDPR rules?
If you don’t comply with the UK GDPR, you can be fined up to 4% of your turnover by the ICO. Or, even more worryingly, the ICO can issue a 'Stop Now' order, which prevents you from collecting or using personal data permanently or until you have complied with their requirements.
What are the principal factors when relying on consent to process personal data?
To help with GDPR compliance and to help with achieving higher levels of trust from customers, we suggest that organisations:
- Check that consent is the most appropriate ground legal for processing
- Check that consent can be given (for example, is the individual vulnerable or a child?)
- Understand if consent is freely given (rather than tied in with an agreement to wider terms and conditions)
- Ensure you have told people what you’ll be doing with their data (and not use it for any other purpose)
- Ensure your Privacy Notice, and any wording around the consent is clear about processing based on consent
- Ensure you have allowed people to choose how they want to be contacted (SMS, email, etc.)
- Ensure that unsubscribing (or withdrawing) consent is straightforward
- Regularly review the consent gathering process (and how long you rely on an individual’s consent)
- Keep accurate and updated records
Get legal assistance from LawBite
Our lawyers provide expert GDPR legal advice to your business to ensure that your documents, including your websites and contacts, are appropriate and robust.
We’ve also created GDPR-specific service packages to support you at different stages of your GDPR journey. To find out how we can help your business, book a free 15-minute consultation or call us on 020 3808 8314.