Consent continues to be a lawful basis for processing personal data under the General Data Protection Regulation (679/2016/EU) ("GDPR"). However, organisations need to be aware that from 25 May 2018 obtaining a valid consent will be more onerous than under the current data protection regime. This article provides an overview of the requisite elements of a valid consent under the GDPR.

What is 'Valid Consent'?

Under the GDPR, consent of the data subject means any "freely given, specific, informed and unambiguous indication" of their agreement to the processing of their personal data. Each of these elements are examined in further detail below:

(1) In what circumstances is consent freely given?

In simple terms, consent will not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Consent is presumed not to be freely given where the performance of a contract, including the provision of a service, is dependent on the consent, despite such consent not being strictly necessary for the performance of that contract.

In order to ensure that consent is freely given, data controllers should avoid using consent as the legal basis for processing where there is a clear imbalance between the data subject and the controller.

(2) What constitutes 'specific' consent?

Similar to the provisions of the current legislative framework, in order for consent to be valid under the GDPR it must be specific. Data subjects must know the purposes of the data processing operations to which they are consenting.

In particular, where consent is provided in a written declaration, which also contains other matters, the request for consent must be clearly distinguishable from other matters in an intelligible and easily accessible form, using clear and plain language.

The GDPR further clarifies that consent should cover all processing activities carried out for the same purpose or purposes. Where the processing of data has multiple purposes, consent should be given for each of them.

(3) In what circumstances is consent informed?

For consent to be informed, the data subject should be aware at least of the identity of the data controller and the purposes of the processing for which the personal data are intended. In the cases of consent requested by electronic means, the request must be clear, concise and not unnecessarily disruptive.

In addition, prior to obtaining a valid consent, data subjects must be informed of their right to withdraw consent.

(4) What is meant by an 'unambiguous indication'?

Data subjects must give an 'unambiguous indication' of their agreement to the data processing operations by a clear affirmative act such as a written statement, including by electronic means or an oral statement. The GDPR clarifies that this could include ticking a box online or choosing technical settings on a website or other conduct that clearly indicates agreement to the processing. The GDPR stipulates that silence, pre-ticked boxes or inactivity do not constitute an 'unambiguous indication' and therefore cannot be used to obtain a valid consent.

Withdrawal of consent

The GDPR expressly provides for the right of a data subject to withdraw his/her consent at any time and requires consent to be as easy to withdraw as to give. Once the data subject withdraws his / her consent, they have the right to have their personal data erased without undue delay, unless there is another legal ground for the processing. Withdrawal of consent will not affect the lawfulness of processing that occurred before its withdrawal.

Obligation to demonstrate consent

Under the GDPR, data controllers must be able to demonstrate that the data subject has consented to the processing activities. Records evidencing valid consent will therefore be a priority for data controllers under the GDPR.

What's next?

Consents obtained under the current legislative framework can only be relied upon from 25 May next where they meet the standards set out in the GDPR as set out above and in such instances it is not necessary for the data subject to give his or her consent again.

However, in order to ensure compliance with the GDPR, data controllers and processors should conduct a gap analysis on pre-existing consents to assess their compliance with the requirements of the GDPR.

Where organisations find that consents provided to date do not meet the standards under the GDPR, they will be tasked with finding another suitable legal basis for processing or otherwise face re-obtaining valid consents from data subjects in order to continue the lawful processing of personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.