Q. Are you getting consent/refreshed consent for your data subject for GDPR? Do I need consent for this process? – In short, you only need consent if your legal basis for processing is consent (there are 5 other basis for processing) and you only need to re-capture it if it wasn’t gathered in a GDPR compliant manner.

Full Answer: There are 6 lawful basis for processing and you can read more about them in article 6 of the GDPR or on the ICO’s website. Consent is only 1 of 6 and according to the ICO “you often won’t need consent”, so this should be your first question, do you really want to base this processing on consent or is there another lawful basis that is better suited? For example, if you need data to fulfil a contract your lawful basis is likely to be ‘contract’, if you need to process your personal data to comply with a common law then your lawful basis is likely to be ‘legal obligation’.

So, once you have decided that this process needs to be based on consent (you want to put the individual in charge and let them decide whether they want to give you the personal data or not ie. sign up for a newsletter) you need to find out if consent has already been captured for this process, if it has not, you will need to ask your data subject to give you their consent. If it has been gathered in a non-compliant manner you should assume that you do not have the consent of the data subject after May 2018 and progress much the same was as you would to gain their consent in the first place.

When you gain the consent of a data subject this consent must be explicit about what the consent is for, it must be informed, freely given and it must be a positive and active opt-in (ie. no confusing words, detriment to the subject or pre-ticked boxes). If your consent is not/was not gathered in such a manner then it will not be a valid lawful basis for processing after the 25th May 2018 (and arguably isn’t lawful now).

– Don’t forget to think about the privacy notice that needs to go alongside the consent to ensure it is informed, how you will actively maintain your consent database across your business and how you will respond to individual rights requests.

2 thoughts on “Do I need consent?

  1. Just to clarify.

    Consent has been a requirement under the PECR regulations since 2003, if you don’t have valid consent then you are in breach of this regulation if you contact a person by email and ask for it, a few companies have been fined for this in the past.

    There is a school of thought that you may have consent that is compliant under PECR but you’d like to update your privacy notices to be clearer about your data processing and make sure your consent database is up to date and reflects the new, more stringent requirement, of GDPR. Companies are asking data-subjects to re-consent with this in mind however, you should be clear this isn’t ‘because of GDPR’.

    There is another school of thought that views this in a much more ‘clear-cut’ manner.
    (1) You have compliant consent so don’t annoy your data subjects and ask for it AGAIN (you can still update your privacy notices) or
    (2) You don’t have compliant consent therefore you do not have consent, full stop. You must proceed as though you do not have their consent (ie. do not email them if you have based your process on consent). Note. you’ll still be able to email them on other processes where you use a different lawful basis however, if this lawful basis is legitimate interest you should make sure you have defined it and ensure data-subjects are able to opt out.

    The regulation will tell you what is lawful and what is not, how you as a business decide to comply with that is an important decision you need to take (and document).

    Thanks,
    Murray Bryant
    (article author)

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s