Is an Individuals’ consent all I need to collect to be GDPR compliant?
Published: September 10th, 2019
Author: Matt Quinn
There is a belief that consent is all that is necessary to be GDPR compliant. While it is important, it is not the only thing organisations should consider when implementing their GDPR compliance system. Rather than simply assuming consent is required, organisations should carefully review their data processing activities to determine if it is really needed.
Is Consent a new GDPR requirement?
No, consent is not a new addition to data protection law. Rather than introducing something novel, the GDPR builds on the existing Data Protection Act 1998 standard.
What is new is that the GDPR sets a higher standard for consent, so organisations may well need to review their existing consent collection mechanisms. From now on an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). The GDPR also specifically bans pre-ticked opt-in boxes, and requires distinct, or granular, consent options for different processing options. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Why is Consent important
Consent is one of the lawful bases of processing (there are six in total) and explicit consent can also legitimize the use of special category data. Consent may also be relevant when the individual has exercised their right to restriction and explicit consent can legitimize automated decision-making and overseas transfers of data. The ICO note that “(g)enuine consent should put individuals in control, build trust and engagement, and enhance your [organisation’s] reputation”.
What should my organisation do next?
As above, consent is one lawful basis for processing, but there are alternatives. The ICO write that “consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative”.
Where consent is appropriate is if you can offer people real choice and control over how you use their data – consider something like an opt-in to a newsletter. Conversely, if you cannot offer a genuine choice then consent is not appropriate and the ICO caution that “if you would still process the personal data without consent [then] asking for consent is misleading and inherently unfair.”
Therefore, the first step your organisation should take is determining whether consent is an appropriate basis for your processing activities. Think – can you offer users of your services a genuine choice as to whether or not their personal data needs to be processed?
At Apomatix, we have an automated solution that will help you quickly and efficiently assess your GDPR compliance risks, including those related to consent. You can then use our platform to treat your companies risk based on industry standards.
If you would like to assess your companies GDPR risk in a matter of minutes, please click here to start a trial. If you would like a demo of the platform, please contact Matt from our Customer Success Team: firstname.lastname@example.org