Following implementation of the General Data Protection Regulation (GDPR) on May 25th, the UK entered into a new age of data protection.
Every business should have been fully prepared for the transition and as a result, should have embedded the systems, policies and processes required to comply with the new regulation.
Consent is one of the six lawful bases for processing, which are set out in Article Six of the GDPR:
“The data subject has given consent to the processing of his or her personal data for one or more specific purposes”
For further details of the six lawful bases, please refer to the ICO website
Ultimately, each organisation must define their own lawful basis or bases for processing, but there are many factors which impact upon this decision. While the GDPR sets a high-standard for consent, you should carefully review if you actually need it and if it is difficult, you should consider looking for a different lawful basis to process data.
An organisation may select multiple lawful bases to cover different processing activities, for different datasets or different stages of the customer lifecycle; but as the ICO states, you should choose an ‘appropriate lawful basis (or bases, if more than one applies) from the start’ and not change them without a good reason.
It may be that an alternate lawful basis such as ‘contract’ or ‘legitimate interest’ is more appropriate for the GI sector, as brokers often have contractual obligations to fulfil, or their duties as a broker can serve as a legitimate interest, although a thorough balancing test would need to be performed.
In each case, the lawful basis needs to be appropriate to the organisation, the relationship with the data subject, and the processing activity.
By now, each organisation should have identified their processing activities and published their privacy statements ahead of the May 25th deadline, so where does this leave consent and when should it be considered?
Organisations should be cautious about over-reliance on consent, but this does not mean that it does not have a role to fulfil. Used correctly, consent enables organisations to build datasets of individuals (data subjects) who want to hear from and hopefully engage with the organisation. Consent should balance the relationship, build trust and engagement, and enhance the organisation’s reputation.
It is up to each organisation to choose the lawful basis which reflects their relationship with the data subject and the processing activity. You can consider using consent when no other lawful basis obviously applies, but conversely, if consent is difficult, it may well be that another lawful basis is more appropriate.
Consent must be freely given, which means giving people genuine ongoing choice and control over how you use their data.
If you are processing personal data using GDPR-compliant consent, then you must give individuals a choice and control over how their data is used and ensure that your organisation is transparent and accountable.
Used correctly, consent can form the foundation of lasting relationships between data controllers and subjects, but failure can result in significant damage to reputations and risk potential fines.