When the EU General Data Protection Regulation (GPDR) comes into effect, you’re going to need ‘explicit consent’ to legitimate certain forms of data processing. That raises two questions: what is explicit consent, and when must it be obtained?
What is explicit consent?
Explicit consent can be thought of in much the same way as the GDPR’s standard requirements for obtaining consent. The difference is that it must be obtained in a way that leaves no room for misinterpretation. This means it must be provided in a clear statement – whether written or spoken.
An explicit consent statement will also need to specifically refer to the element of the processing that requires explicit consent. For example, as the Information Commissioner’s Office (ICO) states, “the statement should specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer”.
Other than that, the requirements for explicit consent are the same as the GDPR’s definition of consent, which is:
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
This in itself means that consent must be obtained more explicitly. The addition of the term “clear affirmative action” is key here, as it nullifies opt-out consent, such as pre-ticked boxes. The GDPR makes a number of other changes to the way in which organisations will have to gain consent. The ICO’s guidance explains that consent requests must be:
- Unbundled: ensure that consent requests are separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Granular: give a thorough explanation of options to consent to different types of processing wherever appropriate.
- Named: state which organisation and third parties will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- Without an imbalance in the relationship: check that there isn’t an imbalance in the relationship between the individual and the controller (such as an employee and employer, or a tenant and a housing association).
When do you need to gain explicit consent?
Explicit consent will be necessary for organisations that want to legitimate the use of special category (sensitive) data. It can also legitimate automated decision-making and overseas transfers by private-sector organisations in the absence of adequate safeguards.
As with consent in general, you shouldn’t seek explicit consent if there is any other lawful basis to obtain data. You can process data without consent if it’s necessary for:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
Learn more about the GDPR with our training courses
IT Governance’s one-day Certified EU General Data Protection Regulation Foundation training course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for EU organisations of any size.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.