A fundamental pillar of the UK GDPR (UK General Data Protection Regulation) is the concept of consent, which plays a crucial role in managing data protection practices. In this article, we will delve into the basis of consent under UK GDPR, its rules, penalties for non-compliance, and effective strategies for managing it. On top, we will offer practical examples.
The basis of consent
Consent, as defined under the UK GDPR, is a lawful basis for processing personal data. It requires individuals to provide explicit, informed, and freely given consent for their data to be collected, stored, and processed by organisations. The key principle here is that consent must be a clear and affirmative action, leaving no room for assumptions or ambiguity. Silence, pre-ticked boxes, or inaction cannot be considered valid consent.
Example: An online user wishes to purchase an item from an online shop, but the shop owner makes it a condition to consent into receiving newsletters in order to get through with the purchase. This would be unlawful, as the data isn’t necessary for the purchase and thus it is not of the free-will of the customer, which makes it not valid. Of course, this would differ under Privacy and Electronic Communications Regulations (PECR), where rules regarding marketing by phone, email, text, or fax apply.
Rules governing consent
To ensure compliance with the UK GDPR, organisations must adhere to certain rules when seeking consent:
Clarity and transparency
Consent requests must be presented in clear and plain language, avoiding any form of legalese or convoluted terminology. Individuals should have a complete understanding of what they are consenting to, including the purposes of data processing and any third parties involved.
Consent must be specific to each distinct purpose for which data is being processed. Blanket consent for multiple activities is no longer acceptable. Organisations should obtain separate and granular consents for different processing activities.
Withdrawal of Consent
Individuals must have the right to withdraw their consent at any time. This right should be communicated clearly and made easily accessible. Once consent is withdrawn, data processing must cease promptly, and individuals should be informed about the consequences of withdrawal, if any.
When processing personal data of individuals below the age of 13, organisations must obtain consent from a parent or guardian. For individuals aged 13 to 15, organisations should make reasonable efforts to verify if they can provide consent themselves.
Tip: Read our guide on the UK Children’s Code for further information.
Penalties for non-compliance with consent obligations
Non-compliance with the UK GDPR can result in significant penalties for organisations. If an organisation fails to comply with consent requirements, the Information Commissioner’s Office (ICO), the regulatory body responsible for enforcing data protection laws, has the authority to impose fines of up to £17.5 million or 4% of the company’s annual global turnover, whichever is higher. These penalties emphasise the importance of managing consent effectively.
Managing consent effectively
To ensure compliance with the UK GDPR’s consent requirements, organisations should consider the following strategies:
Consent management systems
Implementing robust consent management systems can streamline the process of obtaining, documenting, and managing consent. These systems can help maintain a clear record of consent for auditing purposes and facilitate the withdrawal of consent if required.
Organisations should prioritise transparency by providing individuals with detailed information about data processing activities, the purposes behind them, and any third-party involvement. This transparency builds trust and empowers individuals to make informed decisions regarding their personal data.
Regular consent reviews
Organisations should conduct regular reviews of their consent mechanisms to ensure ongoing compliance with UK GDPR requirements. This includes assessing the validity of existing consents, updating consent requests when necessary, and verifying age-related consents for minors.
Other things to consider concerning consent
Consent degrades over time even though the UK GDPR does not set a specific time limit, as the context for consent always changes. Always seek fresh consent, as soon as something changes, but if one can’t refresh consent one needs to cease data as soon as possible.
Example: A summer deal for gym classes counts as a set time for consent and thus when the deal ends the consent expires.
The right to withdraw consent is “available at any time” per Art. 7 (3) UK GDPR and thus the individual must be able to opt out at any time they choose, on their own initiative. It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
Example: If the person gave their consent over a form or a telephone call, they must be able to withdraw their consent over a form or a telephone call as well.
Consent forms the bedrock of the UK GDPR, enabling individuals to exercise control over their personal data. Organisations must navigate the rules and obligations surrounding consent to avoid severe penalties and maintain trust.