As GDPR D-day approaches, Katie Simmonds and JP Buckley highlight the dangers of focusing on consent as a basis for processing
The GDPR sets out six lawful 'bases' for processing, consent being one of them. Consent has historically been the favoured basis as genuine consent puts individuals in control, building customer trust as well as enhancing your reputation.
However, relying on inappropriate consent can be potentially damaging to your reputation, leave you without the ability to use personal data and leaves you exposed to the risk of enforcement action.
We have seen a growing appreciation by many clients that past processes for obtaining consents were insufficient, failing to offer individuals a real choice or control over the information they receive and the way their data was handled, meaning it was questionable as to whether a truly 'positive opt-in' had taken place. This historical overuse has since been criticised by the ICO who have emphasised the high standard of consent under the GDPR and the record-keeping requirements for a valid consent. The message from the ICO is clear: overuse of consent will not be tolerated under the new GDPR. As such, we expect to see an increase in the current trend of exploring the alternative bases for processing (other than consent). The Data Protection Bill 2018, which is progressing through the House of Commons and currently awaiting a date for the Report Stage, also revises and expands the scope of some of the legal bases. We anticipate that, once enacted later in 2018, this will continue to accelerate the trend of moving away from reliance on consent.
Why is the lawful basis for processing important?
The first GDPR principle requires you to process personal data lawfully, fairly and transparently. Processing is only lawful if one of the six legal bases apply, as provided within Article 6 of the GDPR, being: consent, contract with the data subject, legal obligation, vital interests, public task/public interest (which applies to public sector bodies only) and legitimate interests. It is therefore vital you are able to demonstrate, and document, the legal basis for processing specific data. The best way do to this is by keeping a complete log of all processing activities (commonly called a record of processing, or data inventory, though simply called ‘documentation’ in the ICO's guidance), and then stating in privacy notices and data protection statements what the legal basis for processing the data is.
Without keeping a record you will be in breach of the accountability principle provided within Article 5(2) of the GDPR which requires you (amongst other things) to demonstrate a lawful basis applies. It is therefore insufficient and non-compliant if you seek to later retrospectively apply a basis for processing or even change the basis for processing. For example, if you have historically relied on consent and are now seeking to transition towards legitimate interests, you must ensure the data subject is aware and update your internal records to reflect the change in basis before 25 May 2018. It is also a breach of Article 13 or 14 GDPR not to state the legal basis of processing in the privacy notice.
High standard for 'GDPR consent'
The ICO guidance on consent provides for a high standard, requiring a very clear and specific statement, forbidding the use of pre-ticked boxes and other default consents. A granular approach is required and as such the use of blanket consent is non-compliant. For example, where consent is contained within other terms and conditions, it is likely this will be deemed insufficient and non-compliant. Ultimately you must ensure explicit consent is freely given, enabling people to have a genuine and ongoing choice and control over how their data is being processed and utilised.
Many companies are reviewing and changing their consent processes to ensure a GDPR standard of consent, particularly in the consumer-facing industries and for employers (where consents have traditionally been over-relied on). While this is a vital exercise, it is important to remember that consent is only appropriate if you can offer people a genuine choice and real control over how you utilise and access their data. It is important to consider that it may not always be the most appropriate lawful basis.
Would you still process the personal data without consent?
The ICO have emphasised that requesting consent from an individual will be considered ‘misleading and inherently unfair’ if the personal data would still be processed on a different lawful basis if consent was either withdrawn or refused. The premise for this being that it presents the individual with a false and dishonest choice.
Choosing a legal basis - 'Ordinary' Personal Data
The ICO Guidance on the lawful basis for processing has emphasised that a 'single-basis approach' will be insufficient for GDPR compliance - ie where organisations just say ‘it's all based on consent’. There are multiple factors to consider, including not only the nature of the organisation and data subjects but most importantly the purpose for which the data is processed when determining the legal basis. For example, consider a university that processes data for both public research and alumni relations purposes. The first is clearly capable of falling within the 'public task' basis and the latter is not and will need to be captured through another basis, such as consent. Note also that certain legal bases of processing do not have some of the data subject rights applied to them - so another good reason why you will want to select the legal basis of processing very carefully.
We also need to consider situations where the legal basis may change over time. For example, a bank may first decide to process data on the basis of consent and then obtained the appropriate consent. The bank then discovers information that leads them to suspect certain individuals may be involved in fraudulent activities. Should the bank later receive a request from the relevant individuals to remove their data, the bank would then be obligated to continue to hold the data pursuant to the legal obligation basis to ensure they comply with their legal obligations and do not delete any data that may be relevant to future criminal investigations.
Choosing a legal basis - 'Sensitive' Personal Data / Special Categories of Personal Data
When processing Special Categories of Personal Data (that data which used to be called Sensitive Personal Data) then you have a two-step test to follow.
Special Categories of Personal Data are defined within Article 9(1) GDPR and include all personal data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, (ii) genetic data and biometric data processed for the purpose of uniquely identifying a natural person and (iii) data concerning health or data concerning a natural person's sex life or sexual orientation.
These categories of data are more sensitive as this type of data could create increasingly significant risks to an individual's rights and freedoms. The GDPR recognises this and puts additional steps in place for those who need to process personal data to ensure greater protection. In order to lawfully process sensitive data you therefore must:
By way of a practical example, consider the storage of data obtained for the purpose of clinical health trials, which includes data revealing genetics, biometrics or health. While many may utilise the services of a third party to adopt techniques of pseudonymisation to avoid the retention of personal data, the personal data will still need to be processed by the entity which first obtains it. In this instance, we must first utilise one of the six lawful bases and in the clinical trials example this would be consent. Moving onto the additional basis for processing, in this case explicit consent would also need to be obtained. In the case of clinical trials, it might be that the data subject later requests their data be removed. However, if the clinical trial involved, for example, a pregnant woman, it might be that in future either the woman or her future child may have a claim regarding the clinical trials if they believed some sort of damage was caused. Limitation for any claim brought by the child would not commence until the child turned 18 and in these circumstances the Medical Research Council recommend data be retained for a minimum of 25 years, particularly in high-risk trials. This would be covered by the vital interests basis as ultimately, if at a later date it transpires there was some sort of danger that wasn't initially known, it is in the participant's vital interests to be notified should there be a potential impact on their health.
The ICO have prepared an interactive guidance tool which consists of a stage-by-stage question and answer process, to assist you with determining which lawful basis is the most appropriate in your precise circumstances. This should be used as appropriate but in addition, we also recommend the following:
JP Buckley is a Partner at Shoosmiths in the Technology, Media and Commercial team, specialising in privacy, data protection and procurement.
Katie Simmonds is a Commercial Litigation solicitor at Shoosmiths and Deputy Head of the firm’s Dispute Resolution and Compliance team’s retail sector group.