The General Data Protection Regulation (GDPR) was adopted on 8 April 2016 and will take effect on 25 May 2018. It is intended to replace the existing Data Protection Act (DPA) and update the data protection regime across Europe. The Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
The GDPR applies to ‘controllers’ and ‘processors’ as defined in the DPA. Controllers say how and why personal data is processed and the processor acts on the controller’s behalf. If a company is currently subject to the DPA, it is likely that they will also be subject to the GDPR.
The GDPR applies to processing carried out by companies operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The GDPR applies to ‘personal data’ and this includes the same forms of direct data as now as well as indirectly derived data such as IP addresses and mobile phone usage data. This reflects the changes in technology and the way companies now gather information about people. The GDPR will apply both to automated personal data and to manual filing systems where personal data is accessible.
The GDPR is quite complex so in this first post, of many, we will concentrate on the important issue of Consent.
There are a variety of ways to ensure that data processing is lawful under the GDPR. One such lawful means is by obtaining an individual’s consent pursuant to Article 6 (1) (a).
Such consent must be:
- freely given and opt-in;
- specific and granular;
- informed; and
- be an unambiguous indication of the individual’s wishes.
It is therefore important to ensure that the request for consent is kept separate from a company’s usual terms of business and be presented in a clear and plain language (unambiguous). Consent must also be as easy to withdraw as it is to give. Consent must be given separately for each intended use (specific and granular, which means that the individual must understand in specific detail what consent is being sought for and multiple consents may be required for different types of data processing) and cannot be assumed or obtained through pre-ticked boxes (opt-in). Where data is to be transferred to a third party they will need to be named expressly and the person collecting the data is responsible for the manner in which that data is processed by the third party.
A company’s data controller must be able to demonstrate that consent has been sought and given. Existing consent may also be considered lawful but only where the new conditions have been met, where they have not, the advice is to obtain consent under the new conditions.
The Recital to the Regulations provides that consent will not be regarded as freely given if the individual has no genuine or free choice to consent or is unable to refuse or withdraw it without detriment. Furthermore, the GDPR states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not absolutely necessary to perform that contract.
Where personal data is processed for direct marketing the individual will have a right to object, to initial and/or further processing. This right will have to be explicitly brought to their attention and again presented clearly and separately from any other information.
It is important to review collected marketing data and consents early as the GDPR regime will apply to all held data as soon as it comes into force. This means that data collected without following the new consent regime will be unusable after the GDPR comes into force and will have to be deleted.