GDPR best practice and consent
25 July 2018
Following implementation of the General Data Protection Regulation (GDPR) on May 25th, the UK entered into a new age of data protection.
Every business should have been fully prepared for the transition and as a result, should have embedded the systems, policies and processes required to comply with the new regulation.
What is consent?
Consent is one of the six lawful bases for processing, which are set out in Article Six of the GDPR:
“The data subject has given consent to the processing of his or her personal data for one or more specific purposes”
For further details of the six lawful bases, please refer to the ICO website
Is consent appropriate for the general insurance sector?
Ultimately, each organisation must define their own lawful basis or bases for processing, but there are many factors which impact upon this decision. While the GDPR sets a high-standard for consent, you should carefully review if you actually need it and if it is difficult, you should consider looking for a different lawful basis to process data.
An organisation may select multiple lawful bases to cover different processing activities, for different datasets or different stages of the customer lifecycle; but as the ICO states, you should choose an ‘appropriate lawful basis (or bases, if more than one applies) from the start’ and not change them without a good reason.
It may be that an alternate lawful basis such as ‘contract’ or ‘legitimate interest’ is more appropriate for the GI sector, as brokers often have contractual obligations to fulfil, or their duties as a broker can serve as a legitimate interest, although a thorough balancing test would need to be performed.
In each case, the lawful basis needs to be appropriate to the organisation, the relationship with the data subject, and the processing activity.
By now, each organisation should have identified their processing activities and published their privacy statements ahead of the May 25th deadline, so where does this leave consent and when should it be considered?
Best practice for obtaining consent
Organisations should be cautious about over-reliance on consent, but this does not mean that it does not have a role to fulfil. Used correctly, consent enables organisations to build datasets of individuals (data subjects) who want to hear from and hopefully engage with the organisation. Consent should balance the relationship, build trust and engagement, and enhance the organisation’s reputation.
It is up to each organisation to choose the lawful basis which reflects their relationship with the data subject and the processing activity. You can consider using consent when no other lawful basis obviously applies, but conversely, if consent is difficult, it may well be that another lawful basis is more appropriate.
Seven practical steps brokers can take
- Review the ICO website for a thorough overview of consent, how to obtain consent and what you must do
- If you are processing special category data, you may require explicit consent to legitimise the processing, unless a specific condition in Article 9 applies. Explicit consent requires a very clear and specific statement of consent and not simply a ‘tick box’. Exemptions for insurance have been included in the Data Protection Act 2018; the Act considers insurance to be included within the ‘substantial public interest’ legal basis, which means that explicit consent may not be required in the majority of cases
- Be mindful of the requirements of the Privacy and Electronic Communications Regulations 2003 (PECR). The EU is in the process of replacing the current e-privacy law with a new e-privacy Regulation (ePR), which will impact upon marketing activity
- Keep your consent requests separate from other terms and conditions
- Be specific and ‘granular’ so that you get separate consent for separate things
- Keep detailed records of consent and the statements that were in place when consent was given
- GDPR does not stipulate a time limit for consent. How long consent lasts will depend on the context and it should be reviewed and refreshed as appropriate.
Consent must be freely given, which means giving people genuine ongoing choice and control over how you use their data.
If you are processing personal data using GDPR-compliant consent, then you must give individuals a choice and control over how their data is used and ensure that your organisation is transparent and accountable.
Used correctly, consent can form the foundation of lasting relationships between data controllers and subjects, but failure can result in significant damage to reputations and risk potential fines.