(GDPR) - Do You Really Need That Explicit Consent?

Are you worried when you see the word ‘GDPR’?

It’s infuriating, isn't it?

It’s been 5 months since GDPR.

Wait! If you are new to this whole thing — read our GDPR guidebook for starters.

What has changed? Oh yeah, now we get to experience those beautifully designed cookie banners on almost all the websites under the sun!

Does that mean they are compliant? Hell, no! that’s not the only thing you need to do. However, if you still haven’t got your cookie banner up and running –— try this WordPress plugin

So, quick question:

Are you GDPR compliant?

I know what you are thinking!

Don’t worry, you’re not alone. . .

According to the research by Datanami, the 14 largest companies in the world are not compliant—including Facebook.

Feeling better?

In any case, you need to be compliant irrespective of who else is compliant.

You can get more practical advice here — how to be GDPR compliant

But regarding this article let’s stick to the one topic that has been making all the headlines — ‘Consent, I mean Explicit Consent’.

So, what is ‘Explicit Consent’, in terms of GDPR?

Consent simply means that you need to have the data subject’s permission in order to process their data, and it is one of the methods you can follow to become GDPR compliant!

The concept of ‘Explicit Consent’ is one of the most impactful consequences of the GDPR. And the main reason is that GDPR requires you to obtain ‘a clear affirmative action or a statement’ in an explicit manner from the data subjects.

A data subject is any individual whose personal data is processed by a controller or a processor.

If you are getting overwhelmed by these legal words — read this to get a basic understanding of GDPR terminology.

Becoming GDPR compliant means you need to prove a lawful basis on how you’re dealing with data processing in your organisation.

Explicit Consent has been topping the news all the time and many organisations were/are worried about whether they need to get fresh consent from their prospects and clients.

There’s been a lot of misconceptions about explicit consent and whether it is the only lawful basis and so on. . .

Let’s be honest. GDPR still has a lot of grey areas.

Let’s discuss explicit consent, and what’s the fuss about it:

Do you really need that explicit consent?

No! here’s the thing — consent is just one of the 6 lawful bases to comply with.

According to Art. 6 GDPR, the lawfulness of data processing includes:

1. Consent
2. Contract
3. Legal Obligation
4. Vital Interests
5. Public Task
6. Legitimate Interests

So, explicit consent is not the only method by which you can get your GDPR compliance badge.

Okay, so what’s the best lawful basis?

No single basis is ’better’ or more important than the others – meaning, you can follow any of them depending on your purpose and relationship with the data subject.

Does it also mean you can follow more than one lawful basis?

Yes, you can — because it’s not like one lawful basis per one organisation.

You don’t have to pick one for your organisation and stick with it. Simply speaking, you shouldn't go for a one-size-fits-all solution in case of a lawful basis for processing.

Ideally, you should start by identifying each and every data pool that you hold and process — such as existing customers’ data, prospective customers’ data, suppliers’ data, employees’ data, website visitors’ data, and so on so forth. . .

And then you need to carefully decide and apply an appropriate lawful basis for each of those data pools you hold and process.

Whatever lawful basis you follow, you need to clearly state the same in your privacy policy in an easily understandable language.

But the sad thing is — even the biggest companies that we know are not up to the mark with GDPR. Their privacy policies are vague and not transparent enough. We’ll get to some specific examples in a while.

Any ways, back to explicit consent! It’s hard to get explicit consent and maintain it and more importantly prove (make it auditable) it when necessary.

This is where it gets tricky – The Recital 171 of the GDPR goes like this:

“Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation, so as to allow the controller to continue such processing after the date of application of this Regulation”

Put as simply as possible, it means that you can continue to use the consent you have already obtained pre-GDPR if that consent is in line with GDPR standards i.e. unambiguous, demonstrable, and explicit consent. That’s the issue. Most businesses haven’t obtained consents in-line with GDPR before GDPR, simply because they weren't aware of GDPR.

For example, if your sign-up form has a pre-ticked box combining consent with a terms & conditions statement, then clearly your consent for this data pool is not in-line with GDPR standards and you can not use it from now on.

So, if that is the case with you, then they are invalid, and you can’t rely on them.

Even if you have carefully unbundled the consent from terms and conditions and have been getting the consent up to GDPR standards, you’ll still need to be able to demonstrate that consent. But pre-GDPR we hadn't known about the demonstrating factor and did not have a mechanism in place to maintain and demonstrate consent. So, explicit consent is not the appropriate legal basis upon which to process the data under GDPR.

Sounds very complex right? This is why explicit consent is the most discussed topic.

So, what can you do now? What’s the alternative?

Legitimate interests!

Is Legitimate Interests a GDPR gift?

Legitimate interests are simply the benefits you may gain by processing the data; you need to keep in mind that those benefits shouldn't override the basic rights of the data subject.

Also, if you've decided to use legitimate interests as your lawful basis of processing, you need to keep in mind another important aspect in this concept which is laid out in Recital 47:

Legitimate interest is the most flexible lawful basis for processing. However, it is necessary to use people’s data only “in the ways that they would reasonably expect you to use [it], and which have a minimal privacy impact, or where there is a compelling justification for processing.”(ICO)

That means you can only use legitimate interests if the data subject can reasonably know what you are going to do with it at the time of providing the data itself.

Let’s take an example to make our lives easier. . .

When you browse Pizza Hut’s website and order something, you obviously leave your personal details. Now, it is perfectly understandable, even a normal UK Citizen, that Pizza Hut is going to use his details to contact him. That’s in the legitimate interest of Pizza Hut, which is not overridden by basic rights. However, Pizza Hut should not use the same details to send you an SMS every week! Why? Because when you gave your contact details you did not reasonably expect them to send you weekly SMS coupons.

So, if you want to use legitimate interests in any of your data processing activities, you need to do so ideally through a process in which you can assess the situation:

• You need to identify a legitimate interest
• Deduce that processing is necessary to achieve your interests
• Balance it against a data subject’s interests, rights and freedom

That being said, legitimate interests should, in no way, be used as a band-aid to explicit consent.

It is very important to go through the above-mentioned steps and carefully state it in a document called Legitimate Interests Assessment (LIA).

The Data Protection Network has published a detailed explanation of legitimate interests and has provided a template for assessing legitimate interests.

So, what next?

Start by looking at all different kinds of data you collect. Yes, I know it’s a difficult process, but it is inevitable.

You already understand that data plays a huge role in improving your services, marketing and all the other operations. So, if you are significantly dependent on data to make informed decisions, then you should at least start by mapping what kind of data you collect and how you process it.

As soon as you have done the data mapping step, you need to look at every single process to evaluate which data processes fall under legitimate interests, and which processes fall under contractual basis and the others. You need to basically segregate the data pools and decide your legal basis for the processing of each pool.

And that’s not it! You need to be transparent about this whole process, and clearly mention which legal basis you follow for each particular data pool and why.

As we’ve discussed earlier, even the biggest corporations on the planet are not doing it right. Their policies are significantly vague, and they don’t even mention this table of their lawful basis of processing data. How sad!

Here are some examples of how not to do it and how to do it the right way:

Example #1 – Facebook:

Facebook has already been in the news for breaching and compromising data on several occasions and still their privacy policy is something you should strictly keep in mind to not get into trouble:

So, let’s take a look at Facebook’s legal basis for processing data:

Read the full article here.

This guest post has been originally published in Ecomply - a GDPR task management solution that can help you automate necessary documentation and reduce your risk of liability during your GDPR compliance journey.