GDPR Blog: Legal advice relating to Consent should be revisited
In the scramble to achieve data protection compliance last year, some lawyers assessed their clients businesses and identified consent as the lawful basis on which to process personal data under the GDPR. In many cases, this was the obvious choice and maintained the status quo, as many companies were already using consent to acquire personal data and it was a fair assumption that this would continue, albeit with more stringent conditions. This was then recorded in the suite of data protection documents that were required under the GDPR’s transparency and accountability principles (see Blog 9 for further information).
Consent is only one example of a lawful basis for processing data and there are others, such as “legitimate interest” or “performance of a contract” which may be relied upon instead, if certain criteria can be met. The GDPR raises the bar to a higher standard for consent and requires businesses to review how they obtain, record and manage that consent.
Nearly one year on since the implementation of the GDPR, and consent is now widely considered at the least preferred option due to its unstable nature. Primarily this is because it may be withdrawn at any time. Given the substantial publicity surrounding the GDPR last year, many, if not most people, are now aware of their enhanced rights where others process personal data about them. Some businesses may not have the IT infrastructure, resource or know-how to deal with a retraction of someone’s consent and significant efforts may be required to respond to this request.
This was particularly the case in the marketing sector where companies did not have the ability to use the performance of a contract as a legal basis for processing data. What has emerged since last May is that the lawful basis of “legitimate interests” offers the most flexible solution to those businesses seeking to process customer or employee personal data. This would apply to an insurance company processing an individual’s claims information, or a bank processing data for fraud protection purposes but may be applied more widely for any business who can demonstrate that they have a legitimate need to use the personal data and that the privacy rights of the individual or “data subject”, have not been adversely affected. If there are some concerns about this, then preparing a LIA or Legitimate Interests Assessment document should be prepared. This is similar to a risk assessment and identifies the privacy risks to the individual and records the technical and organisational measures implemented to mitigate these risks.
Something to be aware of is that you may be more constrained in avoiding the consent basis if you are processing special category data (SCD) such as health, biometric, political, religious and other types of sensitive data. The requirements here are more stringent and don’t have the flexibility of utilising the legitimate interests mechanism for processing. Unless you are processing SCD for employees, then businesses will usually need to seek explicit consent from data subjects for this category of data.
If your privacy notices still reflect consent as the lawful basis to process personal data then you should contact your lawyer (preferably the one who drafted the documents) and speak to them about whether it is more appropriate for these documents to be redrafted.
If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.email@example.com, on Twitter @LNWdataprotect or by telephone on 0191 226 3699.