Consent under GDPR: Understanding the Role of Data Controllers in Obtaining and Managing Consent
The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in May 2018, brought about a paradigm shift in how personal data is handled, stored, and processed by organisations. Among its many provisions, one of the most vital is the role of consent. For businesses operating in Europe or handling the personal data of EU citizens, understanding the intricacies of obtaining and managing consent is essential to ensuring compliance. The data controller, as the primary party responsible for deciding how and why personal data is processed, has a crucial role in this framework. In this article, we delve deeply into the subject of consent under the GDPR, focusing on the responsibilities of data controllers in obtaining and managing consent, and highlighting the challenges and best practices for ensuring compliance.
Introduction to Consent under the GDPR
Consent is one of the six lawful bases for processing personal data under the GDPR. While it is not always required, consent becomes essential when none of the other legal grounds, such as the fulfilment of a contract or legitimate interest, apply. Under GDPR, consent must be freely given, specific, informed, and unambiguous. In short, individuals must be fully aware of what they are consenting to, and their consent must be obtained before any data processing takes place.
The GDPR’s Article 4(11) defines consent as “any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.” This definition is strict, placing the onus on data controllers to ensure that any consent they collect meets these requirements.
However, the role of consent is more than just a one-time checkbox. The GDPR has significantly raised the bar for consent by introducing stringent conditions under which consent can be obtained and maintained, as well as empowering individuals with stronger rights over their data. This brings us to the pivotal role of data controllers.
Who is a Data Controller?
Before diving into the nuances of obtaining and managing consent, it is important to clarify who exactly a data controller is. The GDPR defines a data controller as a person or organisation that “determines the purposes and means of the processing of personal data”. In simpler terms, the data controller decides why the personal data is being collected and how it will be processed.
This contrasts with the data processor, who processes personal data on behalf of the controller and under its instructions. While both controllers and processors have responsibilities under the GDPR, the controller has a greater degree of accountability in ensuring that consent is lawfully obtained and appropriately managed.
For organisations, acting as a data controller involves understanding the legal obligations tied to the processing of personal data, as they bear the ultimate responsibility for GDPR compliance, including all matters related to consent.
Key Principles for Obtaining Consent
Obtaining valid consent is a multifaceted process, requiring careful consideration and compliance with several principles outlined by the GDPR. These principles form the backbone of lawful consent and must be adhered to by data controllers in all their operations.
a) Freely Given Consent
For consent to be valid under the GDPR, it must be freely given. This means that individuals should not feel compelled to give consent, and they must have real choice and control over whether they wish to provide their personal data.
Freely given consent implies that the individual is not subjected to negative consequences if they refuse or withdraw their consent. For instance, bundling consent with the acceptance of terms and conditions or making the provision of a service conditional on consent may be deemed coercive and invalid under the GDPR, except where data is essential for the provision of the service.
b) Specific Consent
The GDPR requires that consent must be specific to the purpose for which data is being collected. Broad or blanket consent forms that do not clearly specify the exact purpose of data processing are no longer valid.
This ensures that individuals have a clear understanding of how their data will be used. Data controllers must provide detailed information on each purpose for which consent is sought and refrain from using vague or generic terms. For example, stating that data will be used for “marketing purposes” without further clarification would not meet the requirement of specificity.
c) Informed Consent
Informed consent requires that individuals are provided with clear, transparent, and easily understandable information about what they are consenting to. Article 12 of the GDPR sets forth the obligation for data controllers to provide information in a “concise, transparent, intelligible, and easily accessible form, using clear and plain language”.
At a minimum, individuals must be informed of:
- The identity of the data controller.
- The purpose(s) of the data processing.
- What personal data will be collected and processed.
- Any third parties that the data will be shared with.
- How long the data will be stored.
- Their rights under GDPR, such as the right to withdraw consent at any time.
Failure to provide this information could invalidate the consent obtained, leaving the data controller in breach of the GDPR.
d) Unambiguous Consent
The GDPR requires that consent is unambiguous, meaning it must be provided through a clear, affirmative action. Pre-ticked boxes, silence, or inactivity do not constitute valid consent. Individuals must actively choose to consent to the processing of their data, and this action must be explicit.
Examples of clear affirmative actions include ticking a box on a website (as long as it is not pre-ticked), signing a consent form, or selecting settings from a preference panel. Any ambiguity in how consent is collected can invalidate the consent and lead to GDPR violations.
Managing Consent: The Data Controller’s Responsibilities
Obtaining consent is only the first step in GDPR compliance. Data controllers are also responsible for managing and maintaining that consent throughout the data processing lifecycle. The GDPR places several obligations on data controllers in this regard:
a) Documenting Consent
Data controllers are required to keep records that demonstrate that valid consent has been obtained. This means that organisations must have a clear record of:
- Who consented.
- When they consented.
- What they were told at the time of consent.
- How they consented.
- Whether they have withdrawn their consent.
This documentation serves as proof of compliance in the event of an audit or a complaint and is a key part of the controller’s accountability obligations under GDPR.
b) Providing the Right to Withdraw Consent
One of the cornerstones of GDPR is the right of individuals to withdraw their consent at any time. The process for withdrawing consent must be as simple as the process of giving it. Data controllers are obligated to inform individuals of their right to withdraw consent, and must ensure that individuals can exercise this right easily, without facing any hurdles.
Controllers must have procedures in place to action the withdrawal of consent promptly and stop any further data processing based on that consent. Additionally, the withdrawal of consent must not affect the lawfulness of data processing that took place prior to the withdrawal.
c) Reviewing and Refreshing Consent
Consent is not a one-time event under GDPR. Data controllers are required to review and refresh consent when there is a significant change in the data processing activities. If the original consent was given for a specific purpose and that purpose changes, or if new processing activities are introduced, the data controller must obtain fresh consent that reflects these changes.
For example, if an organisation initially collected data for providing a service and later wishes to use that data for marketing purposes, it must first seek the individual’s consent for the new purpose.
d) Special Categories of Data
Special categories of data, such as health data, racial or ethnic origin, political opinions, religious beliefs, or biometric data, require explicit consent under GDPR. Explicit consent involves a higher standard of affirmation, typically requiring the data subject to expressly state their agreement in writing.
For data controllers, handling special category data requires additional safeguards and more rigorous procedures to ensure compliance. They must also ensure that individuals are fully aware of the sensitive nature of the data being processed and the potential implications.
The Challenges of Obtaining and Managing Consent
Despite the clear guidelines set by GDPR, data controllers face several challenges in obtaining and managing consent effectively.
a) Ensuring Clear Communication
One of the main challenges is ensuring that the information provided to individuals is clear, concise, and understandable. Complex legal language or jargon can result in invalid consent, as individuals may not fully understand what they are consenting to. Striking the balance between providing enough information to be fully transparent and keeping the language simple can be difficult for data controllers.
b) Consent Fatigue
In today’s digital world, individuals are frequently asked to give consent for data processing activities, leading to what is commonly known as “consent fatigue”. People may become desensitised to consent requests and provide consent without fully understanding the implications. This raises the risk of organisations collecting invalid consent, which could be challenged under GDPR.
c) Managing Consent Across Multiple Platforms
Many organisations operate across multiple platforms, such as websites, mobile apps, and social media. Ensuring that consistent consent mechanisms are implemented across all platforms can be challenging, especially when different jurisdictions and privacy regulations apply.
d) Dealing with Third Parties
Sharing data with third-party processors is common in today’s interconnected business environment. However, managing consent when third parties are involved introduces additional complexities. Data controllers must ensure that any third party they share data with has the necessary consent to process the data and that the third party complies with GDPR requirements.
Best Practices for Data Controllers
To overcome these challenges and ensure compliance with GDPR’s consent requirements, data controllers should adopt a series of best practices:
a) Use Layered Privacy Notices
Rather than overwhelming individuals with all information at once, data controllers should adopt layered privacy notices. This approach allows individuals to access high-level information initially and then drill down into more detailed information if they wish. This enhances transparency and helps individuals make informed decisions without experiencing information overload.
b) Regularly Audit Consent Mechanisms
Data controllers should regularly review and audit their consent mechanisms to ensure they remain compliant with GDPR. This includes reviewing how consent is obtained, how it is recorded, and how withdrawal requests are handled. Conducting regular audits can help identify any gaps or weaknesses in the consent management process and ensure continuous compliance.
c) Offer Granular Consent Options
Where possible, data controllers should offer individuals the option to give granular consent. This means allowing them to choose which specific data processing activities they agree to, rather than asking for blanket consent. For example, individuals might consent to their data being used for service delivery but not for marketing purposes.
d) Simplify the Withdrawal Process
The process of withdrawing consent should be straightforward and user-friendly. Organisations can offer easily accessible “unsubscribe” buttons or preference management dashboards where individuals can review and update their consent choices.
The Consequences of Failing to Obtain Valid Consent
The GDPR provides data protection authorities with the power to impose significant penalties for non-compliance. Failing to obtain valid consent, or failing to manage consent in accordance with GDPR, can result in hefty fines. In the most severe cases, organisations can face fines of up to €20 million or 4% of their global annual turnover, whichever is higher.
In addition to financial penalties, organisations risk damage to their reputation if they are found to have mishandled consent. Consumers are increasingly aware of their data protection rights, and negative publicity around GDPR breaches can result in lost trust and business.
Conclusion
The GDPR’s consent requirements represent one of the most important aspects of the regulation, and data controllers bear the responsibility of ensuring that consent is obtained, documented, and managed in full compliance with the law. This involves more than just collecting consent – it requires providing clear, specific, and unambiguous information, maintaining accurate records, and allowing individuals to easily withdraw their consent when they wish.
For data controllers, this can be a challenging process, but by adhering to the principles outlined in GDPR and adopting best practices for managing consent, they can not only ensure compliance but also build trust with their customers. In a world where data is increasingly viewed as a valuable asset, handling consent properly is crucial to maintaining the confidence and privacy of individuals while operating within the bounds of the law.