The small business no-nonsense guide to GDPR Part II: The right to process
The right to process
We have now covered a basic overview of what the GDPR is. We have gone over the preliminary steps you should take before you actually change your current data processing system as well.
From this point onward we will be getting into the detail of the legislation and specifically what you have to do to comply with it.
The foundation of compliance is that you need a lawful basis for processing personal data. The GDPR provides six lawful bases for processing. No single basis is a stronger justification for processing than the other and what matters is which bases are most appropriate to use for the purpose(s) of the processing that you intend to do and your relationship with the individual whose data you intend to process.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Consent: The individual has given clear consent for you to process their personal data for a specific purpose.
Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: The processing is necessary for you to comply with the law not including contractual obligations.
Vital interests: The processing is necessary to protect someone’s life.
Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. However, this does not apply if you are a public authority processing data to perform your official tasks.
As a small business only a few of these lawful bases will apply to you when processing data, the most likely of which will be consent which we will focus on next.
How to gain consent
The GDPR defines consent in Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice then you should not use consent as a lawful basis for processing personal data.
Clear affirmative action means the individual must take deliberate action to opt in, even if this is not expressed as an actual opt-in box. For example, other affirmative opt-in methods could take the form of signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default.
Conditions for consent
Article 7 describes the conditions for consent but they can be summarised as your consent mechanism being specific, granular, clear, prominent, documented and easily withdrawn:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid. You should use instead unticked opt-in boxes or similar active opt-in methods such as a binary choice given equal prominence.
- Granular: Give granular options to consent separately to different types of processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on consent. Even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: Consent will not be freely given if there is imbalance in the relationship between the individual and the controller.
When consent isn’t appropriate
As stated earlier if you can’t offer people a genuine choice over how you use their data then consent is an inappropriate lawful basis for processing. This may be the case if for example:
- You would still process the data on a different lawful basis if consent were refused or withdrawn. For example, a company that provides credit cards. They ask their customers to give consent for their personal data to be sent to credit reference agencies. If the customer were to refuse they could still send the data to credit reference agencies on the basis of ‘legitimate interests’.
- If consent to the processing is a precondition of accessing your services. In some cases this might not even constitute valid consent. Instead if you believe processing is required for the service then the better lawful basis for processing would be processing for the performance of a ‘contract’.
- If you are in a position of power over an individual like their employer then they obviously cannot freely give consent as they may fear adverse consequences or feel like they have no choice but to agree. In this case the better lawful basis for processing could be processing for the performance of a ‘public task’.
In each of the above examples, consent is not the most appropriate lawful basis for processing data. Think about the nature of the data that you are processing and whether another lawful basis is more suitable than consent.
Implied vs Explicit Consent
You must make it clear to the individual what the purpose of the processing that you intend to do is. You must then restrict your processing to only that which you have stated in the consent documentation.
For example, if an individual drops their business card into a prize draw box in a coffee shop, this can be seen as an affirmative action that clearly indicates they consent to having their name and contact number being processed for the purposes of the prize draw. It does not entitle the coffee shop to use those same details for marketing or any purpose other than the prize draw that the individual entered. This example is a case where we have implied consent which is inferred from someone’s action, in this case dropping their business card in the prize draw box.
In the example below, an individual must give consent explicitly by ticking an opt-in box to receive emails about products and special offers. The ‘explicit’ element of any consent statement should be separate from any other consent you are seeking and it should clearly refer to the exact processing for which you are seeking consent. If relevant, you should state the nature of the special category data you are trying to collect as well.
RealtimeCRM can aid you in recording consent by allowing you to create a custom field which records the specific processing they have agreed to and when they agreed to it. Using the example above you could as ‘We do Hairdos’ scan the filled in consent form and have it linked to the appropriate Contact record via RealtimeCRM’s Documents feature. In that way you have the nature of the consent and proof of the consent all in one place associated with the relevant individual.
How often do I have to revisit my consent?
The GDPR does not put a time limit for consent. Context is far more important. If your processing operations or purposes evolve then your original consent may no longer be specific or informed enough to be valid. If this happens you will need to seek fresh consent or identify another lawful basis.
What about Children and Consent?
Article 8 of the GDPR describes when a child can and cannot give consent. It states that if that child is at least 16 years old then they are capable of consenting to their personal data being processed. Otherwise, if they are under 16 years old you must gain consent from the holder of parental responsibility over the child.
However, member states can choose to lower the minimum age at which a child can provide consent, and in fact the UK may choose to lower the minimum age to 13. If you do choose to rely on children’s consent you’ll have to implement age verification measures and make reasonable efforts to verify parental responsibility for those under the relevant age.
Document your Consent
Ensure that you keep records to evidence consent. They should clearly state who consented, when, how, and what they were told. We have already discussed how software such as RealtimeCRM can help you achieve this. You should also make it easy for people to withdraw consent at any time, preferably in the same manner as they first consented.
This means that, ideally, if they consented via an online form they should be able to withdraw consent via an online form that is easy to find and use.
You should not leave it to the last minute to review your current consent documentation. If it is insufficient then you need to get the proper consent now. It would be very unwise to wait until the last minute because you will not be the only business playing catch up. We can imagine around the month of May inboxes filling up with businesses trying to get consent.
If you’re ahead of the game you’re less likely to annoy and therefore more able to get the proper consent.
If you’d like more information regarding consent then take a look at the ICO’s guidance below: