Obtaining Consent from Data Subjects in order to process their data has long been an area of ambiguity, open to broad interpretation across EU Member States. The GDPR certainly tightens the rules and clearly defines Consent. However, there are still areas where further guidance is being sought and areas which may still be open to interpretation. Here is our 10 point quick guide:
1. Definition of Consent
The GDPR defines Consent and states that it must be “freely given, specific, informed and unambiguous” and it must be given by a “clear affirmative action by the data subject”. Furthermore the regulation stipulates that different types of data require different consent. It is not permitted to present individuals with an all or nothing approach. It’s also specified that Consent is not be valid where there is “a clear imbalance between the data subject and the controller”.
2. Inactivity Inadequate
When Controllers are gaining Consent, GDPR presumes “silence, pre-ticked boxes or inactivity” to be inadequate. The UK Regulator already takes a dim view of pre-ticked boxes. In the ICO’s Direct Marketing Guidance (March 2016) it states: a pre-ticked box will not automatically demonstrate consent, as it will be hard to show that the presence of the tick represents a positive, informed choice by the user. This will be further tightened under the GDPR, and organisations won’t be able to rely on inactivity to gain consent, i.e. an individual simply not responding to a communication.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.