GDPR – EXPLICIT AND DEMONSTRABLE CONSENT
For personal data, one of the lawful bases for processing is consent, meaning that you can use an individual’s personal data IF they agree that you can. Remember that consent may not always be the most appropriate lawful basis for processing personal data so you will need to consider this carefully.
Assuming that consent is the correct lawful basis then it’s important that
- the consent is valid consent – valid in that it meets the GDPR requirements
- you keep a record to prove that you obtained that consent
WHAT IS EXPLICIT CONSENT?
GDPR sets a high standard for consent but if you are using consent as a lawful basis of processing special categories of data then the consent must be explicit – but what does that mean?
Guidance from the Article 29 Working Party and the ICO confirms that you need
- A very clear and specific statement of consent
- To specifically refer to the element of the processing that requires explicit consent
- The ‘explicit’ element of any consent to be separate from any other consent you need
Ideally, you can use a written statement as the example below:
I consent to you using the personal information that I have given you about my health to send me appropriate emails about your services and special offers.
If you want to take extra care you might also consider
Obtaining a signature for something or
Two stage verification for very sensitive information – for example, send the individual an email explaining about processing and asking for consent for the use of a specific set of information for a specific purpose, such as processing health data. If the individual wants to agree to this then you could ask them to send an email reply containing the words “I Agree”. Upon receipt of the reply you send a verification link that must be clicked or a text with a verification code. You may have experienced something similar with online payment methods
Online, you may want to ask the individual to
- fill in an electronic form
- send an email
- upload a scanned document
WHAT IS DEMONSTRABLE CONSENT ?
GDPR requires that you prove or demonstrate that you have obtained valid consent from the individual data subject. Again, guidance from the Article 29 Working Party shows us that this means keeping a record of
- Who consented
- When consent was given
- How consent was given
- What they were told at the time they consented – this should be easy and refer directly to the relevant version of your privacy notice
There is no “set method” for how to prove that you have obtained valid consent and it will depend on the circumstances. For example you may want to consider
- Obtaining a signature for something or
- Creating a simple form to be completed when obtaining oral consent
- Using technology which records when online boxes are “ticked”
Remember that you shouldn’t keep your proof of obtaining consent for any longer than is strictly necessary to comply with your legal obligations or to establish, exercise or defend legal claims so include those records in your retention policy too.