Speaking at the recent IP Expo in London, Irwin Mitchell solicitors warned businesses that focusing too much on consent as a basis for data collection could mean that they miss other options and issues, and leave themselves open to the risk of fines from the UK regulator when GDPR comes into force next year.
One of the key areas highlighted by the speaker from Irwin Mitchell was the fact that obtaining consent will be far more difficult under GDPR, and that the stricter rules around the gathering of consent with GDPR could mean that companies that rely on it entirely face the risk fines.
Under GDPR, businesses will need to demonstrate that they have a basis for transferring and processing user data i.e. ensuring that they have 'legitimate interests' i.e. showing that they are using data for legitimate business purposes and that no privacy rules are being breached.
What About Consent?
Consent where gathering and using personal data is concerned is a notoriously complicated legal area.
When the EU's General Data Protection Regulation (GDPR) comes into force next year businesses will need ‘explicit consent’ to legitimate certain forms of data processing. GDPR will essentially make a number of other changes to the way in which organisations will have to gain consent.
Consent under GDPR will have to be unbundled i.e. consent requests are separate from other terms and conditions, granular (a thorough explanation of options to consent must be given), named (state which organisation and third parties will be relying on consent), and documented (keeping records of how consent was gained).
Consent will also have to be easy to withdraw, and this means that if companies focus too much first on the consent aspect of GDPR as a legal basis for using personal data, it may be at the expense of other options, and could leave them open to legal risks that they had missed.
Complications For Businesses
Some of the complications that could lead to some businesses being open to legal threats are that:
- Under GDPR implied consent will disappear.
- Terms and conditions can no longer be used as a catch-all.
- Businesses that rely to some degree on consent as a legal basis will need to redraft their forms to make them compliant.
- Many current marketing consents are not clear enough, and companies will need to sort through them, make sure they are compliant, and refresh them every two years.
For many businesses, trying to prepare for GDPR has revealed just how far behind they have been with data protection practices anyway, and many are still trying to find data that they should have been securing for years. With the clock ticking, compliance is a daunting challenge.
Focusing On The Wrong Things
Some GDPR commentators have pointed out that many companies have been focusing on the wrong things in their preparations for GDPR because they don’t understand the real legal risks.
For many businesses, there needs to be (and there hasn’t been) enough of a focus on the use of technology in their preparations in order to be realistically compliant in time.
Businesses are also not in a position of to see the day-to-day cases in which EU regulators are forming a point of view on data protection.
What Does This Mean For Your Business?
There is now a pervading view that although the legal profession understands many of the ins and outs of consent, and the other important legal matters relating to GDPR, many businesses do not, and there is likely to be a quantum of illegality into May 2018 and beyond.
The whole area of what is meant by consent is so complicated and carries so many new obligations that data controllers should concentrate first on looking at other legal grounds as an alternative to consent.
Businesses could help their own preparations by focusing on how they can use technology to achieve compliance in time for GDPR, but may need to seek the current best legal information and advice to make sure that they are aware of, and are covered for the worst legal risks.