Consent should be the last thing a company relies on when it comes to staying on the right side of the regulation.
By now, most UK-based companies affected by the European Union's General Data Protection Regulation (GDPR) should be in the advanced stages of preparations for its implementation.
Many of these companies will have placed heavy emphasis on the consent aspects of GDPR. In reality, however, consent should be the last thing a company should rely on when it comes to staying on the right side of the regulation.
Here's why
Data collection can be legitimate
At this stage of the game, most people are likely aware that the GDPR is designed to give ordinary people more control over their personal data and how it's used. This may be one reason why so much attention has been given to the question of consent.
It's important to remember, however, the regulation doesn't preclude companies from gathering data for legitimate reasons.
In fact, Article 6 of the GDPR states the processing of data is legal if:
* Processing is necessary for the performance of a contract to which the data subject is party;
* Processing is necessary for compliance with a legal obligation to which the controller is subject;
* Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
* Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
* Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular, where the data subject is a child.
The regulation doesn't preclude companies from gathering data for legitimate reasons.
As this list illustrates, there's a fair amount to work with there. But, before even beginning to think about consent, it's worth tightening up whichever of these points most applies to the company.
One major reason for focusing on the other provisions of Article 6 is that it could save companies a lot of work in the long run.
If companies rely solely on consent, they're going to spend a lot of time cleaning up their communication databases. In the worst instances, they might have to build them from scratch.
When consent is necessary
It's also worth remembering that consent is only needed in very specific circumstances. Consent is required: when no other legitimate reason exists, to hold sensitive personal data, to export data outside the EU, and for marketing communications.
So, for example, consent will be needed if a company is sending e-mail marketing to a blended subscriber base where explicit consent was not recorded.
The company will also need consent if it wants to use the data for a different purpose to what it was originally collected (like marketing to customers).
Outside of these specific examples, however, there's little reason to rely on consent.
Bad for business
In fact, there are powerful business reasons not to turn to consent for GDPR compliance.
The first, and most obvious, of these reasons is that consent can be revoked. The GDPR explicitly states it must be made it easy for people to exercise their right to withdraw consent.
Another reason consent should be seen as a last resort is that it confers additional rights on the individual. So, if a company has to rely on consent to process personal data and then wants to use it for another purpose, the company has to get the individual's consent all over again.
Given the other options available and the pitfalls of relying on consent, it's pretty obvious that it should be the last resort when it comes to GDPR compliance.
Share