5. Consent for everything
If there is one howling great misconception about GDPR that stands out above all other dumb ways to fail, it’s this:
“You need consent to process personal data.”
We’ve seen this all over LinkedIn and in various trade journals, where someone has had a quick look at the GDPR headlines and concluded that consent is mandatory for all processing. It really isn’t. The GDPR provides six different legal bases for processing personal data (excluding special categories), which include:
- The data subject had given consent to the processing;
- Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Compliance with a legal obligation to which the controller is subject;
- To protect the vital interests of the data subject or of another natural person;
- For the performance of a task carried out in the public interest or in the official authority of the controller;
- For the ‘legitimate interests’ of the controller or a third party.
In practice, most organisations will only have five of these legal bases open to them: public authorities are not permitted to use ‘legitimate interests’ (more on that in another post) as a legal basis, and in many cases will not be able to use consent either; and private companies will rarely be in a position to use ‘public interest or official authority.’
Not only do we have multiple legal bases for processing, but in most circumstances consent is not the most appropriate one to use. For example, consent is almost never appropriate in the context of employment, since the employee rarely has a meaningful choice about giving consent if the alternative is to be refused employment or related benefits.
Consent is probably the last legal basis that a controller might with to rely upon for processing, since it is the hardest legal basis to achieve, and obligations to keep it current and evidenced mean that it can be the hardest to live with. But it’s also the strongest and safest legal basis once obtained, since it provides an unequivocal statement of approval for processing, and provides a foundation for trust between controller and data subject.
This issue is by no means new. Some 10 years ago, a civil servant (responsible for processing in a public authority) said this to me:
“If the processing in your new system relies on consent, then you’ve already failed.”
Maybe that’s a cynical viewpoint, but it’s a good message to keep in mind. Spend time thinking about the most appropriate legal basis for your processing; consider whether you can actually use the proposed legal basis, and what the implications are; and don’t rush into consent just because it seems an obvious choice, because a dumb way to fail at GDPR would be to assume you need consent for all processing without first considering your options.
Please suggest your own GDPR Dumb Ways to Fail in the comments below, and we’ll add them to the list to be tackled in the coming days.