You may think that if you are processing data for your customers (data subjects), then you must always obtain their consent to do so. Processing data is collecting and manipulating data to produce results that include analysing, sorting or summarising data which you hold.
Whilst you may believe that obtaining the data subject’s consent to process their data is necessary, it is in fact only one of five justifications under the Data Protection Act 1998 (and Article 6 of the General Data Protection Regulations (GDPR)). The other justifications for processing data are for performance of a contact, compliance with a legal obligation, protecting vital interests and for the purposes of public or legitimate interests.
You must always ensure that the justification (be that consent or any other reason) is clearly communicated to the data subject, however this can be as simple as stating to the data subject that the use of their information is “necessary for the performance of the contract between us” and informing them of the uses of their data.
With consent under the GDPR required to be, amongst other things, – active, clear, informed, separate, balanced and not conditional upon anything else, it may be worth considering whether you are able to use one of the other justifications instead. In addition, consent is the only justification which can be withdrawn by the data subject at any time.
Whilst the other justifications seem to remove the large burden of obtaining consent under the GDPR, you are only able to use them if they apply. The data will not have been processed lawfully if you have used a justification which is not applicable. If you are unsure if they apply, it is always best to protect yourself by obtaining the consent of the data subject.
Law for the online generation starts here.
Conditions surrounding consent have been restructured, meaning that companies will not be able to use long and complex terms of condition that are full of legal jargon. Instead, the request for consent must be easily accessible, easy to understand and have the purpose for data processing attached to the consent.