The European Union General Data Protection Regulation (GDPR) is designated to become effective and enforceable on May 25, 2018, and just about every business, ready or not, will have to deal with the consequences of noncompliance after that date. The penalties for failing to meet the standards outlined by the GDPR can be severe and should not be ignored or shrugged off by any business enterprise.
One of the more significant principles of the GDPR is the concept of consent. Data subjects, the people providing the personal data that needs to remain protected, must clearly consent to the processing of their data. That may seem reasonable, but obtaining consent can be more complicated than you might think. Consent can be given in more than one form and compliant enterprises will have to know, and more important, account for, the different forms.
SEE: EU General Data Protection Regulation (GDPR) policy (Tech Pro Research)
What is consent under the GDPR?
The GDPR establishes a clear definition of valid and lawful consent with regard to data subjects:
"Consent is an unambiguous indication of a data subject's wishes that signifies an agreement by him/her to the processing of personal data relating to him/her."
In simple terms, here are the conditions of valid consent under the GDPR:
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be informed.
- Consent needs to be an unambiguous indication.
- Consent is an act: It needs to be given by a statement or by a clear act.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible, and easily accessible.
Obtaining explicit consent that is valid under the GDPR adds another layer of conditions to the process. Data subjects consenting to the processing of their medical records, for example, must give specific and explicit consent to every aspect of the processing to be performed.
To carry the example further, consenting to the processing of your personal data as a means to purchasing an item from a website can be considered as given by the mere act of providing the information. However, in such a situation, you have not given the website permission to turn around and sell your personal data to third parties beyond the original transaction, nor have you consented to receive additional marketing material from the website itself. Consent for those additional activities must be asked for specifically under the GDPR.
SEE: EU General Data Protection Regulation (GDPR) compliance checklist (Tech Pro Research)
Guidelines for obtaining consent
Consent under the GDPR must be given freely. According to Article 4(11) of GDPR, consent is:
"any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;"
For many enterprises, the key terminology in that definition is "clear affirmative action." GDPR guidelines mandate that valid consent is granted only by a clear action. In other words, lawful consent can't be obtained by embedding the request for consent inside other common statements, like terms of service or privacy policies. The GDPR refers to this form of consent acquisition as a "bundled request."
Furthermore, the GDPR guidelines specifically prohibit the use of pre-checked consent or permission requests. Such a request must be presented to a data subject as blank, and that data subject must be allowed to actively and unambiguously check or mark the request in the affirmative to obtain valid consent.
The concept of "freely given consent" is particularly important for situations where there is an imbalance of power between the parties. The entity in a position of power, like a public authority or potential employer, is not allowed to exert any element of compulsion, pressure, or inability to exercise free will. Bundling various data processing consent requests into a single package in these situation is considered a form of compulsion or pressure by the GDPR and is, therefore, prohibited.
SEE: EU General Data Protection Regulation (GDPR): A cheat sheet (TechRepublic)
The enforcement of the GDPR with respect to obtaining consent from data subjects is going to impact many business enterprises that felt they were upstanding members of the business community before May 25, 2018. Obtaining consent for processing personal data can no longer be an afterthought. The provisions of the GDPR make consent a clear and separate priority for compliant enterprises.
The testimony of Facebook founder and CEO Mark Zuckerberg to the US Congress in April 2018 is a clear example of what the GDPR is trying to prevent. One app developer followed the rules and obtained permission to access personal data from Facebook members for a specific purpose. Unfortunately, that developer then sold that personal data to a third party without getting explicit permission to do so. After May 25, 2018, this will be a clear and blatant violation of the GDPR and would likely lead to embarrassment, fines, and costly litigation.
All public-facing organizations subject to the provisions of the GDPR must change the way they approach the acquisition of consent from customers and clients—or risk financial hardship, and possibly even extinction, if they don't.
- Top 5: Things you should know about GDPR (TechRepublic)
- Microsoft hired a data protection officer to comply with GDPR: Should your company do the same? (TechRepublic)
- 65% of organizations will fail to meet critical GDPR compliance by deadline (TechRepublic)
- Facebook's mea culpa tour, Cambridge Analytica and GDPR: The data game is changing before our eyes (ZDNet)
Keep up to date on all the latest information about GDPR and data privacy protection by checking out the TechRepublic GDPR topic page.
Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.