In our latest blog, Lawpoint explores the 3 reasons why businesses should revisit whether they actually need consent to process personal data…
The law says that to process (i.e., use) personal data, there must be a legal justification for doing so. The UK GDPR sets out 6 legal justifications that could apply to processing personal data and consent is just one of them.
Consent is not always needed to process personal data and it is not always a failsafe that perhaps businesses may think it is.
The Information Commissioner’s Office (ICO), the domestic watchdog for data protection, in its Consent Guidance says “Consent is one lawful basis for processing, but there are five others. Consent won’t always be the most appropriate or easiest.”
In September last year, the Government in a consultation paper on ‘Data: a new direction’ said it had heard evidence that there is an over-reliance on consent as a ground for processing personal data (para 30).
It’s easy to see why collecting consent from individuals to use their personal data could be seen as the failsafe option. If in doubt go for the safe option. But if it’s not the right legal ground for the activity and personal data being processed, it could be causing you more trouble than it’s worth and hold hidden risks.
Here are 3 reasons why you might want to re-consider:
1. Real consent required?
Does the individual truly have the choice of whether you process their data? If you still intend to use the personal data without consent e.g., keep names and addresses for invoicing purposes, then this is not a consent situation. Moreover, the ICO in its Consent Guidance says this is unfair and presents the individual with a false choice and the illusion of control.
2. Record keeping
If you do decide to collect consents, you are duty-bound to manage them and keep records of them. The Consent Guidance gives a long list of information you are required to keep in respect of the consents you have collected including the information you gave to the individual at the time you collected the consent and whether consent has been withdrawn.
3. Refresh
Any consent you collect will not last forever. The ICO expects you to refresh these at least every two years, if not sooner depending on the context (e.g., if you collected consent to use personal data in relation to a one-off summer event, is the consent wide enough to cover ongoing use of the personal data, when that summer event ends).
We understand that consent can be a minefield. If you have any questions, then contact Tracey: tracey@law-point.co.uk or call 01202 729444.