Consent was one of the robustly argued subjects during the drafting of the GDPR and remains a lawful basis for processing, transfer or disclosure of personal data under the GDPR. The GDPR sets a very high standard for consent by clearly defining consent as:
“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”
The major change under the GDPR is that consent must be unambiguous to be valid, meaning, data subjects should clearly express agreement or make a statement that clearly says “yes” to the actual processing of their personal data for a specific purpose. This may be by clicking/ticking in a box or actually selecting settings or making a clear declaration. Consent will also be considered valid where a data subject also acts in a clear way which expresses or affirms their consent.
Even though the GDPR does not require explicit consent for all types of data processing, it makes it clear that “silence, pre-ticked boxes or inactivity should therefore not constitute consent.” The GDPR requires explicit consent only for processing sensitive personal data but “unambiguous” consent will suffice for non-sensitive data permitting organisation to use implied consent to some degree if a data subject’s actions are clearly and adequately indicative of their agreement to specific data processing.
The fundamental challenge that organisations face with the new GDPR consent requirements is the requirement of organisational accountability and providing proof of consent. The GDPR requires the data controller to be “able to demonstrate that consent was given by the data subject to the processing of their personal data” meaning data controllers can no longer rely on implicit or “opt-out” forms of consent in some cases but will need to show that the data subject indicated their agreement by form of a “statement or clear affirmative action”.
Organisations face the difficult task of ensuring that they review the way consent is recorded and ensuring that data subjects are adequately informed and agree to the processing of their personal data.
It is no longer sufficient to just record that an individual has ticked a box, organisations will need to keep records and audit trails that shows that data subjects have been fully informed by way of notices etc. and freely agreed to their data to be processed for a specific purpose. Failure by a data controller to verify consent records may lead to a breach of the GDPR requirements for legal consent and exposes the organisation to a risk of enforcement for processing personal data without a lawful basis.
Any infringements of the basic principles of personal data processing under GDPR “including conditions for consent” can be subject to huge financial penalties for organisations, which may be up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide turnover of the preceding financial year, whichever is higher.
This makes documenting consent one of the important actions to take for organisations to comply with the GDPR.
Infinitic Compliance Services can help your organisation carry-out risk assessment and ensure you are prepared for the GDPR. Our consultants can help you develop processes and systems that enable your organisation to record proof of consent. Please contact us if you require help with developing effective and GDPR compliant consent processes.