Under the General Data Protection Regulation (GDPR), businesses must have a legal basis for processing data. And they must get user consent to do so. If you process personal information without consent, you could face severe penalties.
Luckily, meeting the GDPR consent requirements isn’t very complicated. This article explains the GDPR consent requirements and how to ensure your business is compliant.
Why Is GDPR Consent So Important?
In today’s digital world, your personal data is a valuable resource. Companies can collect and sell your personal information to other entities for marketing or research purposes. To protect people’s data from misuse, the GDPR mandates that companies must have a legal basis for any processing of personal data.
The six legal bases that companies can use to justify their need to collect, store, process, or handle personal data are:
- Consent is freely and expressly given.
- For contractual reasons.
- A legal obligation exists to process the data.
- It’s in the data subject’s vital interests, ie. to protect their life or the life of another person.
- Required as part of an official undertaking or in the public interest.
- There is a legitimate interest to process the data.
To comply with GDPR, you must choose one of the six reasons for processing data. You can’t change your choice once you’ve made it, so choose carefully. In most cases, getting consent is the easiest way to satisfy GDPR requirements.
Penalties for Breaching GDPR
If your business stores, obtains or processes any personal data or information that can be used to identify a person, then you must comply with UK GDPR rules. Failure to do so can result in penalties.
Under the Global Online Privacy and Data Regulation (GOPDR), there are five possible penalties:
- Reprimands and warnings
- A temporary or permanent ban on processing data
- An obligation to make your data processing compliant
- Erasure of data
- Administrative GDPR fines
There’s no minimum amount for GDPR fines but there is a maximum amount. GDPR fines have a set limit of either 4% of the turnover of your business or £18 million, whichever is greater. In the UK, GDPR fines are issued by the Information Commissioner’s Office (ICO).
The UK has issued over £60 million in GDPR fines up until December 2022. The most common reason for a GDPR fine to be issued is the processing of personal data without having obtained consent.
What Does Consent Mean Under the GDPR?
Under other types of privacy laws, consent can be either implied or expressly given. It’s important to understand that as far as the GDPR is concerned, implied consent doesn’t exist as a concept. Consent must always be expressly given. That means a person must always clearly agree to their data being processed in a certain way.
The concept of GDPR consent is defined under Article 4(11) of the UK GDPR. The GDPR outlines consent specifically as:
‘…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Complying with GDPR consent requirements means that you need to fulfil five key concepts and be aware that consent can be revoked at any time. Let’s take a closer look at what these concepts mean in practice.
Data Subjects Must Give Consent Freely
Data subjects mustn’t feel they’ve been coerced, pressured or forced into giving consent. A person shouldn’t be punished if they refuse to consent. The only exception is if you need the data to provide goods or services. For example, a customer has to make a payment with a credit card.
Data Processing Must Be Clearly Defined
The GOPDR states that ‘The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.’
You must clearly state exactly what data processing activities are being carried out and also provide the data subject with the opportunity to consent to each separate data processing activity.
An example of this would be if you are collecting a customer’s email address for verification reasons and also for marketing reasons. The customer must expressly provide consent for both activities.
Data Subjects Must Be Fully Informed
People must know exactly what they’re consenting to, who they’re giving consent to and the reason for the data processing. They must also be made aware that they have the right to withdraw consent at any time.
Consent Cannot Be Ambiguous
You must provide a clear explanation, in easy-to-understand language without technical jargon, of what the data processing activity is and why it’s required. Anyone must be able to understand what they are consenting to.
The ICO states that: ‘If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse — for example, the use of double negatives or inconsistent language — will invalidate consent.’
Consent Must be Expressly Given
A person must expressly provide their consent in a way that’s unambiguous and can’t be questioned. The GDPR states that ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’
Data Subjects Have the Right to Revoke Consent
The American company Clearview AI Inc was found guilty of breaching the UK GDPR, fined €8 million by the ICO in May of 2022 and instructed to stop processing data.
If you’re found to be in breach of GDPR consent requirements, it can have a devastating impact on your business. As well as having to pay high GDPR fines, you could also be liable for additional damages. Businesses penalised under the GDPR also suffer damage to their reputation when customers no longer trust that their data will is properly protected.
Our GDPR Training ensures that you and your team stay on the right side of the GDPR. The course teaches trainees the fundamental principles of the GDPR and shows them how to properly handle and protect personal data.