It is a common misconception that consent is the “safest” valid ground for processing personal data. However as two recent EU decisions prove, this is incorrect and in fact could result in fines if consent is used when it’s not appropriate (see below).
WHAT DOES THIS MEAN?
There are 6 “lawful bases” (i.e. valid reasons) for collecting, storing and using personal data – consent is only one of these.
There are limited examples where the law states that consent is required to process personal data (i.e. it is the only acceptable lawful basis), such as for marketing and the use of cookies. In other circumstances, it is for the business to decide which is the most appropriate. The ICO makes it clear that all grounds are equal and no single basis is better than the others. It is all about what is appropriate in the circumstances. (If you are using cookies see our previous blawg – Who stole the cookies from the cookie jar: https://www.law-point.co.uk/blog/who-stole-the-cookies-from-the-cookie-jar-updated/ )
In addition, if you are processing “special category data” (sensitive data such as health, race etc) you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
WHEN ISN’T CONSENT APPROPRIATE?
Consent will not be appropriate where:
• The individual has no real choice – if you would still process the personal data without consent, asking for consent is misleading and inherently unfair.
• It is a precondition of a service.
• Organisations are in a position of power over individuals such as public authorities and employers (unless confident that they can demonstrate that the consent was freely given).
SO WHAT DO WE DO?
If you haven’t already you should:
• Assess each different reason you process personal data (which needs to be at a very granular level) and decide the appropriate lawful basis.
• Set out this information in your privacy policy. Even if you don’t need consent, you still need to tell people what you’re doing!
WHEN YOU GET IT WRONG
Unfortunately if you get this exercise wrong it means you don’t have a lawful basis and would be in breach of data protection laws – so this is an exercise that should be taken seriously.
Below are two recent examples of the cost of getting this wrong.
The Hellenic DPA (i.e. the Greek equivalent to the ICO) has fined a company €150,000 for requiring employees to consent to the processing of their data. The DPA found that:
• The processing was intended to carry out acts directly linked to the performance of employment contracts, compliance with legal obligations and the smooth and effective operation of the company, as its legitimate interest, and therefore consent was not the appropriate basis.
• So whilst employees were given the impression that processing was based on consent, the reality was that it was under a different legal basis, about which the employees had never been informed.
Similarly in Sweden, their DPA has issued a fine for wrongly relying on consent as the basis for a three week trial of using facial recognition to track attendance at a school. The DPA issued a fine of €20,000 for using consent where there was a clear imbalance between the data subjects (i.e. students) and the school, with the indication that the fine would have been larger had the trial gone on longer.
WHERE TO SEEK GUIDANCE
There is lots of guidance on the ICO’s website so we suggest that it is your starting point if you need further guidance – www.ico.org.uk
Or of course, you can contact us about the various ways we can help you with your data protection compliance.