Wonderful service from start to finish.
General Data Protection Regulation: The new obligations for consent and what these will mean for businesses
The use of personal data in the United Kingdom (UK) is currently governed by the Data Protection Act 1998 (DPA) which was implemented in order to comply with the European Union’s (EU) Data Protection Directive (DPD). The General Data Protection Regulation (GDPR) replaces this current legislation and is in force with effect from the 25th May 2018, in a bid to harmonise practices across all member states. The GDPR is directly applicable and has effect without the need for local legislation. Furthermore, it is going to affect UK businesses offering any type of service to the EU market, therefore the decision for the UK to leave the EU does not mean that businesses are exempt from complying.
UK businesses have become familiar with the DPA and its requirements when using, distributing and retaining individuals’ personal data. There are of course also businesses that take advantage of gaps in the legislation and its enforcement and choose to sell contact lists or fail to make it clear to individuals what their data is being used for. These are the type of practices that the GDPR aims to prevent. It does this by introducing several new stringent obligations on businesses that handle personal data and couples them with some hefty penalties for non-compliance. Some of the new obligations could mean significant reorganisation and adjustments in order for businesses to come in line with the GDPR and obtaining consent for the use of personal data is one of the areas which faces significant change.
Consent is currently a lawful basis for using or transferring personal data and this will not change with the introduction of the GDPR. However, the rules on obtaining, seeking and recording consent have been considerably tightened. As it stands, businesses in the UK can rely on implied consent through silence or inactivity for processing data. This means that certain ‘opt-out’ practices, such as using pre-ticked boxes, have been sufficient methods of obtaining consent for personal data to be shared.
Under the GDPR this type of implied consent will no longer be permitted. The new regulation requires the individual to make a clear affirmation, action or statement to signify their agreement to the processing of their personal data. This must be a specific, freely given, informed and unambiguous indication of their wishes. Requests for consent must be presented in a clear and unambiguous language which avoids using fine print and burying them deep within privacy policies. Furthermore, prior to the individual giving their consent, they must be advised of their right to withdraw it at any time and their entitlement to request that the business deletes their personal information. The idea behind this requirement is that consent should be able to be withdrawn as easily as it was given. The additional information that must be provided by businesses when obtaining consent is reasonable to do when giving this information on paper, but could prove more difficult in situations where communication is only via the telephone.
The additional caveat of the consent needing to be ‘freely given’ prevents businesses from relying on consent that is provided in situations where there is a clear imbalance between the parties. An example of which would be where a business makes a service conditional upon consent. In this instance any consent from the individual would not be considered freely given, except where such processing of information was necessary for the service, an example of which would be the need for a taxi company to have the name and address of an individual in order to be able to send a taxi.
An additional hurdle that the GDPR has added is the need for the consent to be specific to each data processing purpose. This means that the consent can only be used for the specific purpose for which it was given. This additional requirement for specificity means that businesses will no longer be able to sell contact lists without permission from all the contacts on the list and buyers may not be willing to buy the lists as, to use them, they would need to obtain consent from each individual. It does however also create some bizarre scenarios. For example a situation in which information would normally be passed to 3rd parties for genuine reasons, to use the previous example, from a taxi company onto the taxi drivers would technically require consent to be obtained several times, ultimately for the same objective. Fortunately, there are some exceptions within the GDPR that allow for consent to be overlooked which includes instances where the processing of information is necessary for the performance of a contract of which the individual is a party.
In addition to the above changes there are some less significant amendments that businesses will need to take into consideration. First, the requirement for more explicit consent to be obtained for special categories of data which relate to fundamental rights and freedoms. This includes data relating to ethnic origin, sexual orientation and health. This is similar to the explicit consent required under the DPD in relation to “sensitive” personal data except the definition of sensitive data has been expanded to include genetic data and biometric data where processed to uniquely identify a person. Secondly, the GDPR restricts the ability for children to give consent. Businesses will need to obtain consent for children under 16 from a person with parental responsibility i.e. a parent or guardian. There is the ability for each member state to reduce this age to 13 and notably the UK has indicated that would intend to adopt the lower age of consent.
Where the processing of data is based on the individuals consent, as opposed to an exemption, the business will need to able to demonstrate that appropriate consent was given. This means that an effective system will need to be put in place by the business to ensure that records of consent are maintained.
The Information Commissioner’s Office have issued some guidance on the GDPR which can be found at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf and they will no doubt produce more information on the changes in due course. Businesses across the UK use data in their day to day practices and therefore most will need to make changes in order to comply with the GDPR and have under two years to do this. The penalties for non compliance when it comes to consent can be fines up to €20,000,000 or 4% of global turnover. With this in mind, businesses should come up with strategies sooner rather than later so that they are not caught out by the new law.
This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice. All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.