A prevailing myth of both the Data Protection Act and more recently, the GDPR is that you can only use a person’s personal data with their consent, and a subset of this belief is that although you can use personal data without gaining consent first, that this practice it is frowned upon. This belief has been repeated by many quite reputable sources, and is something heard regularly when running Data Protection training sessions. Fortunately for both consumers, organisations, and humans in general, all processing of personal data does not need consent. Not only is consent not needed it is also not the preferred method, as noted by the ICO who have stated “no single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual”.
All processing of personal information must be fair and legal, and to be legal it needs to fit into a ‘condition for processing’. There are six conditions for processing which can legitimise your activity and these can be summaried as:
It is important to take note of the word ‘necessary’ here, and not try and legitimise processing which is surplus to requirements of the core processing through an incorrect condition. Activities should fit neatly into one of the above, and if it doesn’t that is the point where consent is considered and a clear way of capturing consent in a freely given way is set out to the individual. Consent should not be chosen as the condition for processing if the processing could cause detriment to a person, or if it isn’t a real choice. For example- if a person is buying a cup of coffee the coffee shop would not ask them if they consent to their payment details being processed in order to pay, as if the customer declined they would not be able to buy a cup of coffee, hence it is not a real choice. The coffee shop would be providing a service and so this processing would fit under the ‘contract’ provision. Although it can seem like a paper exercise, picking the incorrect condition for processing can lead to serious issues later on if you need to reuse the information for any purpose, or if a person wants to exercise their right to erasure, objection (or withdrawal of consent), or portability based on what condition for processing you have given, and finds out they are not eligible for the right. For example, if the coffee shop had asked the customer for their consent to process their payment information, in the future the customer would have the right for the shop to delete that information, which would put them in a tricky situation with either just the ICO or the tax man and the ICO depending on how they handled it.
The only hard and fast rule (which isn’t always necessarily clear cut, as we’ll discuss next week), is that direct marketing to individuals needs to have explicit consent in order to be legal under GDPR (and the Personal Electronic Communications Regulations). This was not necessarily always the case, as previously organisations could rely on ‘soft opt in’, a practice where if a person had already shown they were interested by enquiring or previously purchasing from an organisation, it could be assumed they wanted to hear from them in the future. This is now not the case, and a clear indication that the person wants to be marketed to separate to (for example) wanting to go ahead with a purchase or other service, must now be collected. In other words, the coffee shop can’t assume that the customer wants emails about their coffee offers because they bought coffee from their shop.
A significant amount of confusion seems to stem from the need to tell people how you are using their data. With a few exceptions, all organisations need to tell people what they are doing with their information in the form of a ‘privacy notice’, which is given on collection of the data. Some privacy notices do ask for consent, as privacy notices are given at the start of a relationship with an individual and this is the best time to gain consent. However most notices are for information only and are necessary in order for organisations to be transparent and open about what happens with individual’s personal data, not for collecting consent. Not using consent doesn’t exempt an organisation from giving notice, but giving a notice doesn’t mean you need a tick box for a person to agree with it either.
As with the Data Protection Act, the GDPR has an addition set of conditions for processing for ‘sensitive personal data’, also now known as ‘special categories’ (the name changes are no doubt to keep us all on our toes!). There are 10 conditions for processing for sensitive personal data, but these come with more caveats (which are not listed) than conditions for non-sensitive personal data:
For most organisations which are not a public body or a not for profit, this means that they almost definitely will need explicit consent to process sensitive personal information. For some types of data, this is a vague area of the legislation, for example, some browsing history could be considered sensitive personal data (if you were to search ‘how to get rid of a migraine’ or ‘gout symptom checker’), yet these have traditionally not been caught by the much stricter provisions for sensitive personal data. However, most data which comes under the definition of sensitive personal data will be quite clear cut and the ICO does not take lightly to it being processed without a clear legal basis.
Mythbusting conclusion: Your organisation has many more conditions for processing to rely on other than consent for most personal data, however you mustn’t (generally speaking) use a person’s data without their knowledge, and if you want to start processing sensitive personal data you are likely going to have to use explicit consent.
Next week RiverWolf takes a close look at GDPR and Marketing.