The most common confusion surrounding the GDPR (General Data Protection Regulation) seems to arise when data controllers attempt to determine how to comply in handling consent. In this second part of the series, I’ll try to clarify the requirements a bit. (See Part 1 here)
The overreaching premise of GDPR is that data which can identify a “natural person” (the term the GDPR uses in referring to users), also referred to as a “data subject”, either alone or in combination with other data, remains the sole property of that natural person and can only be processed in ways which that person has specifically approved. Data controllers and data processors are merely the custodians of that data and can both be held equally responsible for any shortcomings in protecting, processing or removing that data.
There are six lawful reasons for processing personal data:
- A Contract (either sales or service) If your Terms & Conditions or Service Contract are sufficiently explicit as to the type of information gathered and the purposes for which it will be used, this may suffice.
- Public Task (actions by public authorities) Functions of government sites, for instance.
- Vital Interests (actions to protect life or limb of the data subject) This can be a touchy area, so don’t assume… investigate fully, especially in terms of health data.
- Compliance with a legal obligation A lawful warrant from the Courts, for example.
- Legitimate interests (when a private-sector organization has a genuine and legitimate reason [including commercial benefit] to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.)
- A formal consent document (personally, in many instances, I see this as a last resort).
Regardless of the justification for lawful collection and processing of personal data, it must be clearly communicated exactly what data will be collected and for what purpose(s) it will be processed.
Furthermore, before gathering any personal data, you must present such data collection to the data subject (user), explaining what data will be collected, for what purpose and the data subject must take a positive action to opt-in to allow such collection. No pre-checked boxes or default opt-in. Old methods like “By continuing, you agree… ” won’t cut it any longer.
You’ll notice that a consent document is listed last. There’s a good reason for that. I highly recommend you don’t jump to the conclusion that you need to rewrite your consent form. In fact, many businesses can be better served by not even utilizing a traditional consent form. It bears investigating your options, as the utilization of a consent form can actually place additional requirements upon you that can be burdensome and expensive to fulfill.