[Blog] Consent: Tips to Survive in the GDPR Jungles
We all have to confess this sin: sometimes we trick people into consent under the blurred context. It happens in our family matters or business relationships. There is no special evil about it. We need to get what we want with the least effort or resistance.
This attitude can be a trap when organizations seek people’s assent to process their personal information. The new European legislation empowers individuals with complete control over it. Formal consent becomes a double-edged knife.
Legal Grounds for Personal Data Processing
What can be wrong, you may ask, in getting consents at every opportunity? It means we meet the requirements, don’t we? Consent seems a very simple get-it-and-forget-it solution. Yet, companies using consent should not delude themselves with this idea. It is no way simple, nor free from pitfalls. In fact, it puts a heavier burden on your shoulders.
Well, are there any other options? Of course, there are. The right approach is always asking yourself which legal ground is your best choice.
The EU regulation defines six legal grounds for lawful personal data processing:
- Legitimate interests;
- Public interest;
- Vital interest;
- Legal obligations;
- Contractual necessity;
Organizations must rely upon at least one of the above grounds to legitimize data processing. Consent should be the last choice if other instruments are available. Engaging consent puts extra pressure on organizations. In contrast to it, data subjects receive a series of crucial rights.
What Makes Consent Valid
Recently popular ways of getting implied consent do not do the job now. Pre-ticked boxes, text hidden between the lines or user inactivity do not prove a valid consent. Now, people must have an opportunity to express their free will in such a way that there could not be any doubt in it.
The idea of freely given consent is deeper than it appears at first glance. ‘Free’ suggests a genuine, uninfluenced decision. Imagine the controller to be a public authority or an employer. They have a certain power to influence an individual’s decision. This situation tells of the imbalance of power.
Another frequent inconsistency lies in conditionality. Businesses tie their offers with the requirement of giving consent for personal data processing. It often occurs in an automated way with the use of online forms. Squeezing consent as a pre-condition for receiving service or contract performance is a common case today. Be aware that this stunt invalidates consent because the law does not regard it as truly free.
Keep in mind that the control over personal data is completely in the hands of their givers. Make sure you apply no pressure, direct or indirect, to drive individuals into it. Do not hide anything ‘between the lines’ in the text of agreements. Provide data subjects with a true choice. The consequences can be devastating. Imagine the data subjects decided to challenge it in the court. This impact will further grow as long as people become more aware of their rights.
The next attribute of valid consent is being specific. The purpose of data processing must be specified and limited. You can imagine a person provoked by a poorly specified purpose. They might not agree to its vague scope if the purpose were specific enough.
Further, the data subjects must be properly informed before receiving consent. It is your obligation, not a choice. Controllers must provide them with all legally required information including the data subject rights.
Consent is not a One-for-All-Solution
You cannot resort to a consent option without proper substantiation. There are several purposes specified in the regulation for requesting consent. Using any of them, you must be ready to provide further explanation.
One more crucial attribute of consent is that it must be unambiguous. This means that it cannot be implied or derived from any framework provisions. Consent must come in the manner ensuring that the data subject has a full understanding of this act.
The most crucial feature of consent is that organizations must be ready to consent withdrawal. They will have to stop personal data processing as soon as the data subject requests it. If the data subject withdraws consent, data controllers cannot change the legal ground for it.
We do not always need consent as a legal ground for personal data processing. There are five other options. Consent may not turn out to be the easiest or most appropriate method. Always consider the alternative. In practice, managing personal data is a tough task for every organization. It is time to think of automated solutions.
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.