Organisations processing individuals’ personal data should review how they obtain the necessary consents to do so from those individuals when new data protection rules come into force.
The General Data Protection Regulation (GDPR) is an EU Regulation that strengthens and unifies data protection for individuals within the EU, and regulates the export of personal data outside the EU. Its aim is to give citizens control over their personal data and simplify the regulatory environment for international business. The GDPR will replace the UK’s current data protection laws from 25 May 2018 (when the UK will still be in the EU).
Much of the new law will be the same as existing UK law but there are differences. For instance, while both pieces of legislation require consent from an individual before their data can be ‘processed’ (ie obtained, recorded or held) by an organisation, the GDPR rules governing how that consent is obtained are stricter than under current UK law.
• An individual must give their consent freely. So if an organisation is in a much stronger position than the individual (eg. it is a public authority such as a local council); or the organisation says it will not provide a product or service unless consent is given, then consent may not have been freely given
• The organisation must give the individual specific information about the person who will be ‘controlling’ their data, what it will be used for, etc. If there are different processing activities, consent must be given to each activity separately: the organisation cannot bundle them together
• The request for consent must be clear and plain and, if part of a larger document or webpage, distinguishable from other parts of that document or page
• Giving consent must be a positive act (eg. an organisation cannot use pre-ticked boxes on a webpage as consent, although consent can still be given through a course of conduct)
• The ‘controller’ must keep a record of consents given
• Organisations must tell each individual, before they give consent and during the relevant period, that they can withdraw it at any time
Existing consents that comply with the GDPR will remain valid. However, consents that do not comply will need to be obtained again.
• May 2018
• Organisations should review whether their data protection policies and procedures comply with the GDPR, particularly:
• Whether there is an imbalance between their organisation and the individual, or they currently make consent conditional on providing a product or service, meaning that consents obtained may not have been given freely
• Whether they obtain consents from children
• How they obtain consents (eg. on documents such as contracts or marketing material, and on web pages), including the information they give at the time
• How they record consents
• How individuals can withdraw consents
Need to make tough HR Decisions? We can help.
Jonathan Waters is the founder of Helix Law. Before qualifying as a Solicitor he worked in industry and in investment banking for over a decade. He was also the Partner in charge of Commercial Litigation, Employment Law and Property Litigation at Stephen Rimmer LLP. Jonathan has wide experience of helping and advising businesses to avoid or to deal with commercial disputes and in particular construction disputes.
This article is written to raise awareness of the issues it discusses and it may not be updated after it is first written, even if the law changes. It is not intended to be legal advice and cannot be relied on as such. Helix Law is not responsible or liable for any action taken or not taken as a result of this article. If you think the matters set out affect you and you wish to apply them to your particular circumstances then we are happy to give you free initial telephone advice.