Episode Seven – Consent
If I am in hospital about to have an operation, I will have a reasonable understanding of how I came to be there. The surgeon and anaesthetist will have spoken to me, explaining, in a reasonable amount of detail, what it is they intend to do and the risks associated with doing that. Having explained all that, they will then ask me to sign a document indicating that I understand what is going to happen. I have had the risks explained to me and I consent to the operation. If I am a child, then they will have spoken with my parents/legal guardians. They will explain things to them but also to me, in language that a child can understand.
Up to now, consent in terms of data processing can be summed up as; “Can we process your data, we promise not to sell your details. Yes/No [ ]”
The new General Data Protection Regulations (GDPR) that come into force next year on 25th of May are aimed at increasing transparency and strengthening the protection of EU citizens data, and it is within the area of consent that some of the strongest protections are afforded.
A data subjects consent is defined as:
‘any freely given, specific, informed and unambiguous indication of a data subjects wishes by which he or she, by statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’ GDPR (Article 4)
Consent must be:
- Freely given
- Unambiguous indictation of wishes
Add into that, that it falls to the data controller to demonstrate that consent has been obtained, and that the data subject has the right to withdraw consent at any time, and the mechanism for doing so MUST be as easy to use, as the mechanism for gaining consent in the first place, and many businesses find themselves in a challenging situation.
Take Employment Agencies for example. Employment agencies collect CV’s from applicants and hold them on a database. Companies approach agents with a vacancy at which point the agent sends the company a number of anonymised CV’s. The Company then selects the candidates they wish to interview, at which point the recruitment agent gives the company those candidates names and reaches out to the candidate to arrange the interview.
There is, within this straight forward example a large amount of, what the GDPR would term as processing. Holding CV’s, sending CV’s on to companies, revealing candidates’ names, reaching out to candidates to arrange interviews, are all classed as processing and up to now have been done on the basis of the presumption of consent. Employment agencies assume candidates understand how they work and therefore consent.
Under the GDPR this will change with many agencies facing the prospect of a large scale change in the way they work.
Consent must be freely given and specific, i.e. for EACH processing operation. So, candidates must be informed of how the agency works and must give consent to having their CV stored. Candidates also need to consent to having their CV sent out to various companies. Because of the need for consent to be specific and because sending a CV out to a company is classed as processing, candidates should consent each time their CV is sent to an individual company. Because each company represents a new processing operation. Want to send the CV to five companies? Then consent must be obtained for each.
When a company selects a list of candidates to interview, the recruiter must gain the consent of the candidate to reveal their name to the company. Because that too is classed as a new processing operation.
Consent should also be an unambiguous indication of a data subjects wishes, so companies need to ensure that they have a means of recording that candidates consented to each sending of their CV. Now in the case of companies using SAP systems, that may be as simple as adding a custom field to the data table to record that consent was obtained. In other systems, it may require a substantial degree of re-engineering.
This simple example illustrates two important takeaways for the GDPR:
- In some cases, compliance will require a large scale change to a commonly used business process and their underlying systems.
- Wherever possible, don’t process data based on consent.
Imagine the situation where a recruiter sends a CV to company ‘X’ with the candidates consent. The following day the candidate secures a position with company ‘Y’, calls the recruiter and ‘withdraws’ their consent.
The recruiter now has to ensure that the candidates data is deleted, including the CV that has been sent to company ‘X’. This means company ‘X’ need to shred the paper copy they printed, delete the electronic copy, and the electronic copy attached to the email, then confirm to the recruiter that it was done.
One solution to this situation is that candidates engaging with recruiters will need to sign contracts with the recruiters. The contracts will need to be specific enough to allow the recruiter to send CV’s to companies, possibly restricted to a specific field. That way the recruiter is processing under contract rather than processing under consent.
The subject of consent under the terms of the GDPR is one which will change many industries. Companies are advised, as a first step, to identify which processing activities require consent and then consider if this processing could be done under any other lawful processing criteria.
If consent is the only criteria applicable then companies should review whether;
- Consent was obtained
- It was specific
- There was sufficient information provided to the data subject to enable them to understand and make an informed decision about all the processing activities.
- The processing activities have changed since consent was first obtained.
If any of the above hold to be false i.e. consent for a specific activity was not obtained or recorded, sufficient information was not provided or the activities have changed. Then companies are instructed to either scrap the processing operation, or improve their consent mechanisms and obtain consent once more, a not inconsiderable undertaking.
Your Journey to GDPR Compliance Series – Missed an Episode? Catch up on demand below:
Stephen Lofthouse MSc BSc PGCLTHE FHEA is a GDPR Consultant with Proceed and a member of the International Association of Privacy Professionals. He is an award-winning SAP mentor who has worked globally for a number of years both commercially and in academia.