It is a common misconception that consent is the “safest” valid ground for processing personal data. However as two recent EU decisions prove, this is incorrect and in fact could result in fines if consent is used when it’s not appropriate (see below).
WHAT DOES THIS MEAN?
There are 6 “lawful bases” (i.e. valid reasons) for collecting, storing and using personal data – consent is only one of these.
In addition, if you are processing “special category data” (sensitive data such as health, race etc) you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
WHEN ISN’T CONSENT APPROPRIATE?
Consent will not be appropriate where:
• The individual has no real choice – if you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
• It is a precondition of a service.
• Organisations are in a position of power over individuals such as public authorities and employers (unless confident that they can demonstrate that the consent was freely given).
SO WHAT DO WE DO?
If you haven’t already you should:
• Assess each different reason you process personal data (which needs to be at a very granular level) and decide the appropriate lawful basis.
WHEN YOU GET IT WRONG
Unfortunately if you get this exercise wrong it means you don’t have a lawful basis and would be in breach of data protection laws – so this is an exercise that should be taken seriously.
Below are two recent examples of the cost of getting this wrong.
The Hellenic DPA (i.e. the Greek equivalent to the ICO) has fined a company €150,000 for requiring employees to consent to the processing of their data. The DPA found that:
• The processing was intended to carry out acts directly linked to the performance of employment contracts, compliance with legal obligations and the smooth and effective operation of the company, as its legitimate interest, and therefore consent was not the appropriate basis.
• So whilst employees were given the impression that processing was based on consent, the reality was that it was under a different legal basis, about which the employees had never been informed.
Similarly in Sweden, their DPA has issued a fine for wrongly relying on consent as the basis for a three week trial of using facial recognition to track attendance at a school. The DPA issued a fine of €20,000 for using consent where there was a clear imbalance between the data subjects (i.e. students) and the school, with the indication that the fine would have been larger had the trial gone on longer.
WHERE TO SEEK GUIDANCE
There is lots of guidance on the ICO’s website so we suggest that it is your starting point if you need further guidance – www.ico.org.uk
Or of course, you can contact us about the various ways we can help you with your data protection compliance.
Images courtesy of Creative Commons Licence via word.