The introduction of the new European General Data Protection Regulations gets ever nearer and is now less than 12 months away. Whilst awareness of the new regulations is rising, so is concern about how it will affect companies and organisations of all shapes and sizes. Unfortunately, as part of this concern is the proliferation of myths and untruths about the new regulations, something that the UK’s Information Commissioner’s Office, the government body that is tasked with overseeing GDPR in the UK has started to try and address with their new series of blogs.
The new blog starts by looking at the issue of consent.
Do you need consent to process personal data?
One of the most popular myths about the new European General Data Protection Regulations is that companies must have consent to process people’s personal data. According to the ICO:
“Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”
But how can data only be processed if an organisation has explicit consent to do so?
The answer to this is that the rules around consent only apply if you are relying on consent to process personal data, i.e. consent is only one way to comply with GDPR, there are others.
For data processing to be lawful in the new General Data Protection Regulations, companies and organisations need to identify a lawful basis before starting. There are five other ways in the main (as well as consent):
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
This means that consent is not the only basis on which an organization can process personal data under the new European General Data Protection Regulations.