Consent as a basis for processing data - Part 1

There seems to be a misconception by some that the only way to process data is to get a customer’s consent to contact them. While it can be very confusing for those who have only ever used consent as their reason for processing personal information, it is only one of six bases for processing information. So this week and next, I am going to look at the reasons for processing personal data, when to use consent and perhaps when it is not the right approach.

To begin let me state clearly, you always need a legal reason for processing personal information. Collecting data “for the sake of it” or “just in case” is not a clear legal basis and does not comply with the principles of data protection. The GDPR provides for the following legal bases for processing data:

  • Consent: getting the express permission to use their personal data in a way that is clearly understood by the data subject (we will discuss this in more detail shortly)

  • Contractual: you are using the information as per an agreed contract (this may come into play with data processing under a tenancy agreement situation)

  • Vital interest: the personal information is used to save the life of a person, emergency services may rely on this in some instances.

  • Legal obligation: this means that a specific law says you have to process the particular personal information in compliance with that law. Child protection services may use this basis for processing for certain investigations.

  • Public task: this is a rare one, in layman’s term the processing is done in the public interest. The taking of the National Census would be an example.

  • Legitimate interest: this means you have a legitimate business interest to process the data. An example would cyber security, fraud detection or forwarded data within a company to appropriate department to complete service as expected by the customer.

Consent is equal to any of the aforementioned bases for processing so in some instances asking for consent will not always be the appropriate basis.

For example, you might not ask the consent of a person clearly identified in CCTV data committing a crime, when it is requested by the Gardaí, for the investigation of the aforementioned criminal activity. In this scenario, the legal basis for processing (the handing over of the personal data to the Gardaí on request) could be regulated under Legal obligation (such as Data Protection Act section 41 B).  In this instance you might process the data to comply with the Garda’s investigation.

With marketing, consent can be a good basis in some instances, especially with new customers, when asking if they wish to receive further marketing or sales information going forward. It is an appropriate basis as the customer (data subject) will be informed before consenting of what their consent entails and clearly opt-in to communication methods of their choice, based on an informed decision which was freely given. The snag with consent is that it must be as easy to take away as to give. So once removed or limited you would need to not only restrict the processing as directed by the customer but have this preference recorded so you don’t deviate from their preference.

Next week the concluding part of this discussion on consent. Thanks for reading!

__________________________________________________________________________________

Enguard can assist with the issues which GDPR raises from audit, security, staff training to drafting policies and procedure. For further details please call us at Enguard on 0818 252 052 or email info@enguard.ie. We would love to hear from you!


Kenneth Baker