It is very difficult to obtain valid consent. The result is that you should only rely on consent if there is no other legal processing condition that you can identify. You should not ask for consent if you will process data anyway as this could amount to unfair processing. Any consent that is not GDPR compliant after 25 May 2018 will not be valid and cannot be relied on as a legal basis for processing.
Definition of GDPR consent:
“Any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. All GDPR consent must be explicit.”
In order to obtain valid consent, the following conditions apply:
- The consent to the processing of personal data must be ‘unbundled’ and cannot be lumped in with other terms and conditions. Providing consent to the processing cannot be a prerequisite for the provision of a service unless it is necessary for the provision of that service. Requiring consent for processing that it is not necessary for the provision of the service will not produce valid consent.
- There has to be an ‘active opt-in’, which means that pre-ticked opt-in boxes and any mechanism that relies on silence are invalid and consent requires a positive action on the part of the individual.
- The consent should be ‘granular’, allowing the individual to consent separately to different types of processing and different purposes of processing.
- The data controller must be ‘named’ along with any third party who will be relying on the consent. This means that naming a sector or referring to generic ‘third parties with similar interests’ will no longer allow that third party to rely on that consent.
- Consent must be ‘documented’, which means that records must be kept of what the individual consented to and when, and how they were told.
- Consent must be as ‘easy to withdraw’ as it was to provide. There must be no detriment if an individual withdraws consent or refuses to provide consent.
- Consent will only be valid if is obtained where there is ‘no imbalance in the relationship’ between the data controller and the data subject. This will present difficulties for employers in relation to employees and public authorities, which will mean that they cannot rely on consent.
- Consent must be ‘refreshed’ at appropriate intervals, depending on the type of processing taking place.
In Scotland, under the UK Data Protection Bill, a child who has reached the age of 12 can generally be deemed competent to provide consent on his or her own behalf and exercise their own data subject rights.