Four main questions for obtaining and managing data subjects’ consent under GDPR
GDPR’s Article 4 introduces “consent of the data subject” as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In other words, by consenting to personal data processing, data subject practically legitimizes it.
Yet, as much as that interpretation sounds tempting to personal data controllers, using consent as the legal basis for processing is not the best, and certainly not the easiest, way to proceed on the path to GDPR compliance. This article unveils some of the consent myths and attempts to answer certain related FAQs.
1) Consent ‑ hype for something that was already there?
The first question is: is this actually legal novelty? Short answer: No, but it’s more complicated.
Consent had already been included in the GDPR predecessor, EU Directive 95/46/EC, a current personal data protection legal framework for EU Member States (to learn more about the comparison between the EU Directive 95/46/EC and GDPR, read this article: EU GDPR vs. European data protection directive). As such, it had been used extensively, albeit with much greater freedom than initially intended. As a result of use and misuse, GDPR co-opts the concept of consent, but imposes stricter requirements.
2) GDPR consent requirements
The second question is: how do we manage consent in a GDPR-compliant way?
Let’s clarify the terms: consent is an outcome, resulting from a mechanism which strives to obtain it.
This outcome has to have a time constraint which cannot be valid indefinitely and, once obtained, it presents positive indication of an agreement between the data subject and controller of the personal data being processed. Although consent has to be constrained in terms of its maximum duration, it is not legally required to specify its minimum validity period, i.e. it does not and cannot define an obligatory period of validity.
The consent mechanism has to meet the following requirements and constraints:
- In order to perform data processing, consent has to obtained upfront. After expiry, it has to be obtained again. The data controller cannot specify any minimal period for processing and force it upon data subjects, who can withdraw their consent at any point in time.
- The used method has to ensure that the data subject was well-informed about the processing (i.e. in unambiguous and clear language). It must also be obtained before the subject consents to the precise type of processing (granularity is very strict here) mentioned in the consent form. It also requires a positive action (i.e. implied or passive consent is not compliant).
- The mechanism is also dependent on the context. Since there is another stipulation that consent has to be given freely, it will not be considered valid if the data subject had no genuine and free choice, or is unable to withdraw or refuse consent without detriment (which might be the case in certain situations, such as employment, or government-to-citizen relationships.)
Furthermore, although GDPR does not specify the means of managing consent, the data controller is required to be able to demonstrate that consent had been given, along with all associated information. Here are some examples of the possible audit trails: signatures on paper forms, check boxes, “click here” buttons, transaction logs, screen prints, digitally signed documents, call recordings, etc.
Additionally, GDPR includes parental/guardian consent for children. The mechanism for obtaining consent has to include two conditions here: reasonably reliable verification of child’s age at the point of collection (particularly tricky in the context of online services), and usage of clear and plain language (visualization is encouraged) that the child can easily understand. The age limit for obtaining consent from a parent or guardian is determined by each EU Member States’ regulatory body, as long as it is between 13 and 18 years old.
3) Determining the need
Our third question is: in which scenarios is consent really necessary, i.e. when do data controllers have to use it? And why ask this question?
It is worth noting that the consent mechanism is one of multiple legal bases for processing according to the GDPR (to learn more about the 6 legal bases, read this article: Is consent needed? Six legal bases to process data according to GDPR).
In spite of public hype, consent is perhaps the most quoted and least popular legal basis for processing. As we have discussed, it requires the most effort for obtaining and managing it, while it carries the biggest drawback ‑ it can be revoked at any time. This automatically results in cessation of further processing and might also require fulfilment of the right to erasure of personal data within the required 30-day deadline.
Data controllers are advised to analyse all other legal bases, and justify their processing of personal data accordingly. When these options are depleted, consent remains as the last resort.
4) What do we do with existing consents?
As mentioned above, consent as a mechanism/outcome pair existed for more than 20 years. This was a result of EU Directive 95/46/EC, and many organisations have been using it for years. It is safe to assume that a certain percentage of existing proofs of consent are present in their active/archive systems, upon which personal data processing continuously takes place.
The fourth question is a very important one. Do data controllers have to obtain “new” GDPR-compliant consent for each and every living individual whose personal data they currently process? Well, GDPR “lends a hand” here. Recital (171) states that “where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again” in a GDPR-compliant manner, “so as to allow the controller to continue such processing after the date of application of this Regulation.”
Beware, however, that a too-broad definition of data processing, as presented in these “legacy” consent mechanisms, in combination with not informing the data subjects in line with GDPR conditions, might constitute non-compliance. This is especially true when personal data is being used and consent was initially obtained for another purpose.
In a nutshell, the approach to data subjects’ consent can be summarized in two sentences:
- Use consent only if necessary, and handle it with care.
- Do not assume that anyone agrees with your business needs.
Download this free Project plan for EU GDPR implementation to find out when is it the best to start collecting consent.