The GDPR sets out six lawful ‘bases’ for processing, consent
being one of them. Consent has historically been the favoured basis as genuine
consent puts individuals in control, building customer trust as well as
enhancing your reputation.
However, relying on inappropriate consent can be potentially
damaging to your reputation, leave you without the ability to use personal data
and leaves you exposed to the risk of enforcement action.
We have seen a growing appreciation by many clients that
past processes for obtaining consents were insufficient, failing to offer
individuals a real choice or control over the information they receive and the way
their data was handled, meaning it was questionable as to whether a truly
‘positive opt-in’ had taken place. This historical overuse has since been
criticised by the ICO who have emphasised the high standard of consent under
the GDPR and the record-keeping requirements for a valid consent. The message
from the ICO is clear: overuse of consent will not be tolerated under the new
GDPR. As such, we expect to see an increase in the current trend of exploring
the alternative bases for processing (other than consent). The Data Protection
Bill 2018, which is progressing through the House of Commons and currently
awaiting a date for the Report Stage, also revises and expands the scope of
some of the legal bases. We anticipate that, once enacted later in 2018, this
will continue to accelerate the trend of moving away from reliance on consent.
Why is the lawful basis for processing important?
The first GDPR principle requires you to process personal
data lawfully, fairly and transparently. Processing is only lawful if one of
the six legal bases apply, as provided within Article 6 of the GDPR,
being: consent, contract with the data subject, legal obligation, vital
interests, public task/public interest (which applies to public sector bodies
only) and legitimate interests. It is therefore vital you are able to
demonstrate, and document, the legal basis for processing specific data. The
best way do to this is by keeping a complete log of all processing activities
(commonly called a record of processing, or data inventory, though simply
called ‘documentation’ in the ICO’s guidance), and then stating in privacy
notices and data protection statements what the legal basis for processing the
data is.
Without keeping a record you will be in breach of the
accountability principle provided within Article 5(2) of the
GDPR which requires you (amongst other things) to demonstrate that a lawful
basis applies. It is therefore insufficient and non-compliant if you seek to
later retrospectively apply a basis for processing or even change the basis for
processing. For example, if you have historically relied on consent and are now
seeking to transition towards legitimate interests, you must ensure the data
subject is aware and update your internal records to reflect the change in
basis before 25 May 2018. It is also a breach of Article 13 or 14 GDPR not to
state the legal basis of processing in the privacy notice.
High standard for ‘GDPR consent’
The ICO guidance on consent provides for a high standard,
requiring a very clear and specific statement, forbidding the use of pre-ticked
boxes and other default consents. A granular approach is required and as such
the use of blanket consent is non-compliant. For example, where consent is
contained within other terms and conditions, it is likely this will be deemed
insufficient and non-compliant. Ultimately you must ensure explicit consent is
freely given, enabling people to have a genuine and ongoing choice and control
over how their data is being processed and utilised.
Many companies are reviewing and changing their consent
processes to ensure a GDPR standard of consent, particularly in the
consumer-facing industries and for employers (where consents have traditionally
been over-relied on). While this is a vital exercise, it is important to
remember that consent is only appropriate if you can offer people a genuine
choice and real control over how you utilise and access their data. It is
important to consider that it may not always be the most appropriate lawful
basis.
Would you still process the personal data without consent?
The ICO have emphasised that requesting consent from an
individual will be considered ‘misleading and inherently unfair’ if the
personal data would still be processed on a different lawful basis if consent
was either withdrawn or refused. The premise for this being that it presents
the individual with a false and dishonest choice.
Choosing a legal basis – ‘Ordinary’ Personal Data
The ICO Guidance on the lawful basis for processing has
emphasised that a ‘single-basis approach’ will be insufficient for GDPR
compliance – ie where organisations just say ‘it’s all based on consent’. There
are multiple factors to consider, including not only the nature of the
organisation and data subjects but most importantly the purpose for which the
data is processed when determining the legal basis. For example, consider a
university that processes data for both public research and alumni relations
purposes. The first is clearly capable of falling within the ‘public task’
basis and the latter is not and will need to be captured through another basis,
such as consent. Note also that certain legal bases of processing do not have some
of the data subject rights applied to them – so another good reason why you
will want to select the legal basis of processing very carefully.
We also need to consider situations where the legal basis
may change over time. For example, a bank may first decide to process data on
the basis of consent and then obtain the appropriate consent. The bank then
discovers information that leads them to suspect certain individuals may be
involved in fraudulent activities. Should the bank later receive a request from
the relevant individuals to remove their data, the bank would then be obligated
to continue to hold the data pursuant to the legal obligation basis to ensure
they comply with their legal obligations and do not delete any data that may be
relevant to future criminal investigations.
Choosing a legal basis – ‘Sensitive’ Personal Data / Special
Categories of Personal Data
When processing Special Categories of Personal Data (that
data which used to be called Sensitive Personal Data) then you have a two-step
test to follow.
Special Categories of Personal Data are defined within Article 9(1) GDPR and
include all personal data (i) revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs or trade union membership, (ii) genetic
data and biometric data processed for the purpose of uniquely identifying a
natural person and (iii) data concerning health or data concerning a natural
person’s sex life or sexual orientation.
These categories of data are more sensitive as this type of
data could create increasingly significant risks to an individual’s rights and
freedoms. The GDPR recognises this and puts additional steps in place for those
who need to process personal data to ensure greater protection. In order to lawfully
process sensitive data you therefore must:
- first choose one of the six lawful bases provided within
Article 6 GDPR as detailed above; and - additionally demonstrate one of the additional basis
contained within Article
9(2) of the GDPR applies as follows: explicit consent, compliance with
employment laws, vital interests, for the purpose of a not-for profit
organisation (excluding the disclosure to third parties), the information being
public already, purpose of legal proceedings, purpose of administering justice/
exercising statutory or government functions, for medical purposes or for
monitoring quality of opportunities.
By way of a practical example, consider the storage of data
obtained for the purpose of clinical health trials, which includes data
revealing genetics, biometrics or health. While many may utilise the services
of a third party to adopt techniques of pseudonymisation to avoid the retention
of personal data, the personal data will still need to be processed by the
entity which first obtains it. In this instance, we must first utilise one of
the six lawful bases and in the clinical trials example this would be consent.
Moving onto the additional basis for processing, in this case explicit consent
would also need to be obtained. In the case of clinical trials, it might be
that the data subject later requests their data be removed. However, if the
clinical trial involved, for example, a pregnant woman, it might be that in
future either the woman or her future child may have a claim regarding the
clinical trials if they believed some sort of damage was caused. Limitation for
any claim brought by the child would not commence until the child turned 18 and
in these circumstances the Medical Research Council recommend data be retained
for a minimum of 25 years, particularly in high-risk trials. This would be
covered by the vital interests basis as ultimately, if at a later date it
transpires there was some sort of danger that wasn’t initially known, it is in
the participant’s vital interests to be notified should there be a potential
impact on their health.
Practical guidance
The ICO have prepared an interactive guidance tool which consists of a stage-by-stage
question and answer process, to assist you with determining which lawful basis
is the most appropriate in your precise circumstances. This should be used as
appropriate but in addition, we also recommend the following:
- If you are able to rely on the contract with the data
subject, legal obligation or public interest legal bases, our recommendation is
to do so as generally the position is clear-cut as to whether you are GDPR
compliant, providing you comply with the subsequent accountability
requirements. - Consent is only to be relied upon in instances where another
legal basis does not apply. - Where consent is relied upon, both internal and external
policies (as well as the consent capture statement) should be reviewed to
ensure the high standard GDPR consent is obtained and monitored and they are
all consistent. - Processing pursuant to the ‘vital interests’ basis should
ideally be used only as a last resort, ie where it is necessary to avoid death
or serious injury. - All records should be kept up to date to reflect the
appropriate legal basis relied upon, to ensure compliance with accountability
and transparency obligations. - Ensure staff are given appropriate training so they are
aware of the legal basis being relied upon and appreciate its importance, and
that some data subject rights apply only to certain legal bases of processing.
JP Buckley is a Partner at Shoosmiths in the Technology,
Media and Commercial team, specialising in privacy, data protection and
procurement.
Katie Simmonds is a Commercial Litigation solicitor at
Shoosmiths and Deputy Head of the firm’s Dispute Resolution and Compliance
team’s retail sector group.