GDPR: Do I need consent?

The General Data Protection Regulation becomes applicable in the United Kingdom later this year, the 25th May to be precise.  There is a lot of information out there on the GDPR; some of which is incorrect.  Relying upon incorrect information could cause data controllers and processors unnecessary headaches.

In this blog post I am going to focus on just one aspect of the GDPR, upon which there seems to still be a large amount of misinformation floating around.  It is an issue of such fundamental importance that getting it wrong will inevitably lead to headaches and crises in businesses and other organisations that simply do not need to exist:  that aspect is consent.

It is not difficult to find information on the internet selling the idea that the GDPR requires the consent of data subjects before a data controller can process personal data.  It should be obvious, but in case it is not, that is completely false.  Article 6 of the GDPR sets out six grounds which make the processing of personal data lawful under the GDPR; one of those six grounds is indeed consent, but it therefore follows that there are five other grounds of lawful processing which do not require the consent of the data subject.

It is important to understand Article 6 to ensure that your GDPR preparations are on the right track; one of the first things that any data controller who is preparing for the GDPR needs to establish is upon what basis they are processing the personal data.  If a data controller goes off in the wrong direction by assuming that consent is always required then they’re going to hit a problem:  what if a data subject refuses you consent, or withdraws consent which was previously given, to process personal data where you have a statutory obligation or some other compelling business need to process it?  You’re still going to have to process that personal data, but having asked the data subject for their consent you have given them a false impression.  One of the most fundamental aspects of the GDPR is fairness:  giving a data subject a false impression on the need for consent cannot be considered to be fair.  In short, if you need to process personal data irrespective of whether the data subject has given their consent; then consent is not the appropriate Article 6 ground to rely upon.

As noted above, there are a total of six grounds in Article 6 of the GDPR which make the processing lawful.  The grounds in Article 6 are (and note they do not appear in any special order of importance):

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
  • the processing is necessary for compliance with a legal obligation to which the controller is subject
  • the processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child

Picking the right Article 6 grounds to legitimise your processing is vital; it feeds into so many other aspects of data protection compliance (such as your privacy notice).  Consent should only become a consideration where none of the other grounds of lawful processing in Article 6 apply.  Where some may be becoming confused with regards to consent is the requirement to be transparent with data subjects.  You have to tell data subjects clearly, and in easy to understand language, what personal data you are processing about them, how it is being processed and why you are processing it.  This is not the same as gaining their consent and should not be confused as such.

Alistair Sloan

If you require advice and assistance with any aspect of getting prepared for the GDPR, or any other Privacy and Data Protection law matter then contact us on 0345 450 0123 or you can send Alistair Sloan and E-mail.