The age of consent

What is the biggest myth touted about the GDPR? It is, “If you want to use personal information you must have consent”. Why is this a myth? Because what you need is a lawful basis for processing personal information, not consent. Consent is just one of the six lawful bases available under the GDPR.

By Claire Heaphy

The Privacy Compliance Hub Information Officer

March 2020

Consent and GDPR

Contrary to popular belief, ‘consent’ is not necessarily the ‘best’ lawful basis.  It can be problematic. Many GDPR fines, including Google’s €50m fine from the CNIL, the French supervisory authority, result from invalid consent.

Controllers are responsible for identifying the most appropriate lawful basis for their use of personal information.  For businesses that choice is very often between consent and legitimate interests. The GDPR exists to give people control over their own personal information.  The consent basis is the epitome of this as it allows individuals ongoing control of their personal information.

When to use consent as your lawful basis  

The consent basis is most appropriate when an organisation wants to use personal information in a way that people would not expect or is potentially intrusive (eg. where you would like to share a person’s contact details with a third party).  Consent should only be used where you are able to offer individuals a genuine choice and control over how their personal information is used. You must also have systems in place so you can stop processing as soon as possible if consent is withdrawn.  Remember, the consent basis hands the individual genuine control over how their personal information is used. It is in no way a tick-box exercise to fulfil and then forget about. You must also keep a record of all your consents. This allows you to monitor and refresh consents (if necessary) and demonstrate that the individual has consented to the processing.

When not to use consent

It is very difficult to rely on consent as a lawful basis in an employment context.  This is because the imbalance in the relationship between the employer and employee creates a presumption that the consent was not freely given which invalidates the consent.  The same applies to any situation where an organisation is in a position of power over the individual eg. a school/pupil relationship.  The individual must not fear any adverse consequences of refusing consent.

In this short video, Kelly Read-Parish, Chief Operating Officer at Credit Kudos, explains how her organisation use The Privacy Compliance Hub.  Credit Kudos harnesses financial data through Open Banking to make better, fairer credit decisions.

Watch video

Consent must be valid 

The GDPR is very strict on what constitutes valid consent for processing personal information.  There are four key elements in the GDPR definition of consent and if your consents do not meet all of them, your processing will be unlawful.  For consent to be valid it must be:

Freely given – eg. it must not be a pre-condition of providing access to a service where consent is unnecessary to provide that service; 

Specific – consent requests should be granular (ie. individual) as opposed to one blanket request.  There must be separate options to consent separately for different purposes and processing;

Informed – people must understand what it is they are agreeing to.  The information given must be complete yet concise and written in plain, easy to understand language; and 

An unambiguous indication of the individual’s wishes by a statement or a clear affirmative action – 

there must be positive action taken to indicate consent (eg. ticking a box); inactivity will not do (eg. failure to untick a box).  It has been well publicised that the GDPR specifically bans pre-ticked boxes.

Organisations which use the Privacy Compliance Hub understand how to obtain valid consent.

Consent can be withdrawn 

Consent is a reversible decision by the individual who can withdraw it at any time.  Once consent is withdrawn, processing of that individual’s personal information must cease as soon as possible. You must inform people before they give consent that they can withdraw it at any time, make it easy and tell them how.  Consent must be as easy to withdraw as to give, preferably using the same method.

Explicit consent

In certain circumstances consent is not enough.  The GDPR sometimes requires ‘explicit’ consent (something over and above ‘regular’ consent) to process personal information.  Explicit consent requires a very clear and specific statement in words.  Obtaining explicit consent is one way of allowing processing which is otherwise prohibited by the GDPR eg. of special category data (such as health data) and automated decision-making (eg. “Computer says no.”)  

In this short video you can see a product walkthrough of The Privacy Compliance Hub, its screens, its features and how it helps organisations establish and maintain a culture of continuous compliance.

Watch video

A culture of continuous privacy compliance

In our view, the very best way to ensure that your business understands its obligations under the GDPR (including ensuring a legal basis such as consent for processing) is through a cultural shift in your organisation.  At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with the GDPR and other privacy rules. It contains everything that you need.

More to watch and read