GDPR: From transparency to freedom – do you know the consent conditions?
Marie McGinley, Head of Intellectual Property, Technology and Data Protection at Eversheds Sutherland will be a speaker at Ireland’s GDPR conference Dublin Data Sec 2018.
The second annual data protection conference Dublin Data Sec 2018, with keynote speaker the Data Protection Commissioner (DPC) for Ireland Helen Dixon, takes place on Monday April 9 in the RDS Concert Hall.
Regulation 2016/679, the General Data Protection Regulation (the “GDPR”), is set to bring sweeping changes to data protection law in Ireland. At the heart of many of the discussions around the GDPR is the issue of consent.
Consent is the first of the six lawful bases for processing data and has undoubtedly been the most highly scrutinised. Therefore, it is vital that data controllers ensure that the consent they obtain is valid.
Four Key Consent Considerations
Consent must be:
1. Freely given
In order for consent to be freely given, there must be a genuine element of choice and control. Consent is not valid if the data subjects feel compelled to consent, will endure negative consequences if they do not consent or if consent is bundled into non-negotiable terms and conditions.
The GDPR does not make any changes to the law in this area; consent must be given in relation to one or more specific purposes in order to be valid.
As mentioned above, transparency is one of the basic tenets of data protection law. Consent is not possible without clear, accessible and easily understandable information.
There cannot be any ambiguity over whether or not the data subject has consented to the processing of their data. The GDPR requires either a statement from the data subject or a clear affirmative action; silence, inactivity or pre-ticked boxes do not constitute valid consent. The WP29 guidance provides some helpful examples of actions that are in compliance with the GDPR, particularly in the digital context which include actively ticking a consent box, swiping on a screen, waving in front of a camera and drawing a shape with a smartphone:
Other Considerations – Serious Data Protection Risk
WP29 gives some guidance as to the form that “explicit” consent can take in situations where there is a serious data protection risk. These situations include processing of special categories of data, data transfers to third countries and automated individual decision-making. In these cases, the higher threshold can be met by the data subject filling in an online form, sending an email or using an electronic signature.
One of the key changes introduced by the GDPR is the burden placed on the data controller to demonstrate all aspects of compliance, including the data subject’s consent. This requires that a record of consent be kept, which raises some interesting questions about the additional processing that may be required to comply with this requirement.
WP29 also highlights that data subjects should be able to withdraw their consent at any time and as easily as that consent was provided.
The GDPR clearly implies that consent should be given before processing begins, and similarly the basis for processing cannot be changed during that processing. This means that if consent is withdrawn or found to be invalid, the data controller cannot then decide to rely on another of the six grounds for processing.
Marie McGinley is Head of Intellectual Property, Technology and Data Protection at Eversheds Sutherland.
With the deadline for the General Data Protection Regulation (GDPR) fast approaching, and the increasing risk of cyber attacks, Dublin Data Sec 2018 will guide businesses and organisations through the necessary steps to compliance with a focus on transparency, security and accountability.
Dublin Data Sec 2018 is Ireland’s GDPR event, click here for tickets and information.