gdpr consent · contract with the individual compliance with a legal obligation protecting vital...
TRANSCRIPT
![Page 1: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/1.jpg)
Data Protection Practitioners’ Conference 2018 #DPPC2018
GDPR Consent
![Page 2: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/2.jpg)
When is consent appropriate? What is valid consent?
What’s new?
How do we get consent?
![Page 3: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/3.jpg)
Granular and separate
![Page 4: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/4.jpg)
Granular and separate
What does 'granular’ mean?
Separate consent for separate things
Separate from your terms and conditions
Specific to your purposes and methods
![Page 5: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/5.jpg)
Unambiguous and clear affirmative action
![Page 6: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/6.jpg)
Unambiguous affirmative action
It must be obvious that they intended to consent – there can be no doubt
A clear affirmative action means a clear action to opt in
![Page 7: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/7.jpg)
No pre-ticked opt-in boxes
![Page 8: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/8.jpg)
No pre-ticked opt-in boxes
Don’t use pre-ticked opt-in boxes…
…or rely on any other form of silence, inactivity, or consent as the default
![Page 9: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/9.jpg)
Identity of the controller
(?)
![Page 10: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/10.jpg)
Identity of the controller
You must name your organisation
…and name any third party controller relying on the consent…
(?)
…categories of third parties is not specific enough
![Page 11: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/11.jpg)
Right to withdraw consent
![Page 12: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/12.jpg)
Right to withdraw consent
Individuals have the right to withdraw consent at any time
You must tell them this when you get consent
![Page 13: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/13.jpg)
Right to withdraw consent
Individuals have the right to withdraw consent at any time
It must be as easy to withdraw consent as to give it
![Page 14: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/14.jpg)
Right to withdraw consent
Individuals have the right to withdraw consent at any time
You must stop processing as soon as possible
![Page 15: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/15.jpg)
Clear records of consent
![Page 16: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/16.jpg)
Clear records of consent
You will need to show:
When they consented…
Who consented…
What they were told…
How they consented
![Page 17: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/17.jpg)
When is consent appropriate? What is valid consent?
What’s new?
How do we get consent?
![Page 18: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/18.jpg)
When should you use consent?
There’s no other
appropriate lawful basis
You want to give people choice and
control
Or you are required to
have consent
![Page 19: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/19.jpg)
When not to use consent
• When not to use consent?
![Page 20: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/20.jpg)
When not to use consent
If you would do it anyway – asking for consent is misleading and inherently unfair
If you are in a position of power – they may feel they have no choice
If consent is a condition of service but not necessary for the service
![Page 21: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/21.jpg)
Remember there are alternatives to consent
![Page 22: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/22.jpg)
Contract with the individual Compliance with a legal obligation
Protecting vital interests
‘Public task’ - official functions or public interest tasks laid down by law Legitimate interests
![Page 23: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/23.jpg)
When is consent appropriate? What is valid consent?
What’s new?
How do we get consent?
![Page 24: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/24.jpg)
“Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The definition of consent
![Page 25: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/25.jpg)
Consent must be:
Freely given Specific and informed
Unambiguous by a clear
affirmative action (genuine choice
& control)
(targeted to your purpose & easy to
understand) (a clear signal that
they agree)
![Page 26: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/26.jpg)
Explicit consent
![Page 27: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/27.jpg)
Explicit consent
Explicit consent is not very different from regular consent…
however…
It must be affirmed in a clearly worded statement (either written or oral)…
![Page 28: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/28.jpg)
Explicit consent
Explicit consent is not very different from regular consent…
however…
It must specifically refer to the element of processing that requires explicit consent…
![Page 29: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/29.jpg)
Explicit consent
Explicit consent is not very different from regular consent…
however…
A request for explicit consent should be separate from other consent requests
![Page 30: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/30.jpg)
Consent timescales
![Page 31: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/31.jpg)
Consent timescales
There is no specific timescale for expiry of consent in the GDPR
How long consent lasts will depend on the context…
For example…
![Page 32: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/32.jpg)
Consent timescales
There is no specific timescale for expiry of consent in the GDPR
How long consent lasts will depend on the context…
The scope of the consent…
![Page 33: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/33.jpg)
Consent timescales
There is no specific timescale for expiry of consent in the GDPR
How long consent lasts will depend on the context…
The individual’s expectations…
![Page 34: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/34.jpg)
Consent timescales
There is no specific timescale for expiry of consent in the GDPR
How long consent lasts will depend on the context…
If the processing has evolved beyond the original consent
![Page 35: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/35.jpg)
Consent timescales
There is no specific timescale for expiry of consent in the GDPR
And don’t forget consent can be withdrawn at any time – in which case you must stop the processing
![Page 36: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/36.jpg)
When is consent not consent?
![Page 37: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/37.jpg)
For example, it’s not consent:
If it’s not obvious that the individual has consented; If you can’t actually prove that you’ve got consent; If you weren’t named as seeking consent from the individual; If you used pre-ticked opt-in boxes or other methods where consent is the default; or If you’re not sure – as that means it’s not unambiguous!
![Page 38: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/38.jpg)
When is consent appropriate? What is valid consent?
What’s new?
How do we get consent?
![Page 39: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/39.jpg)
Prominent – make it obvious
Separate and granular – separate from T&Cs and separate consent for separate things
Concise – don’t be vague or long winded and rambling
Easy to understand – use plain language and don’t be confusing
Your consent request must be:
![Page 40: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/40.jpg)
As a minimum you must:
Name your organisation
Name any third parties who will be relying on the consent
Explain your purposes and activities (what you’ll be doing and why)
Tell people they can withdraw consent at any time
![Page 41: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/41.jpg)
Methods of obtaining consent
![Page 42: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/42.jpg)
Methods of obtaining consent
You can use a range of possible methods…
For example…
The individual signs a consent form…
![Page 43: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/43.jpg)
Methods of obtaining consent
You can use a range of possible methods…
For example…
The individual ticks an opt-in box, either online or offline…
![Page 44: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/44.jpg)
Methods of obtaining consent
You can use a range of possible methods…
For example…
The individual says ‘yes’ to a clear oral request for consent
![Page 45: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/45.jpg)
Evidence of consent
![Page 46: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/46.jpg)
Evidence of consent
You need evidence of:
Who
The individual’s name or other identifier (eg username, session ID)
![Page 47: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/47.jpg)
Evidence of consent
You need evidence of:
Who
When
eg a dated document, electronic timestamp, or a note of the date and time of the conversation
![Page 48: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/48.jpg)
Evidence of consent
You need evidence of:
Who
When
What
eg a master copy of the document with the consent request, or script that was used at the time
![Page 49: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/49.jpg)
Evidence of consent
You need evidence of:
Who
When
What
How
eg a copy of the data capture form, the data submitted online (with timestamp), or a note of oral consent made at the time
![Page 50: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/50.jpg)
Reviewing and refreshing
![Page 51: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/51.jpg)
Reviewing and refreshing
Keep consent under regular review, and refresh if your purposes evolve beyond those originally specified
There is no such thing as ‘evolving consent’
because consent must be specific
![Page 52: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/52.jpg)
Reviewing and refreshing
Keep consent under regular review, and refresh if your purposes evolve beyond those originally specified
Consider whether to automatically refresh at appropriate intervals
![Page 53: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/53.jpg)
Reviewing and refreshing
Keep consent under regular review, and refresh if your purposes evolve beyond those originally specified
How often you need to refresh consent will depend on the particular context and expectations
![Page 54: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/54.jpg)
What about existing DPA consents?
![Page 55: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/55.jpg)
No requirement to automatically refresh all existing DPA consents But you need to make sure that your existing consents meet the GDPR standard If your existing consents don’t meet the GDPR standard you need to: seek fresh GDPR consent;
identify a different lawful basis; or stop the processing.
![Page 56: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/56.jpg)
More information is available…
Pick up a leaflet from
the hub
Check out our lawful basis
tool
Visit our website
www.ico.org.uk
![Page 57: GDPR Consent · Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down](https://reader033.vdocument.in/reader033/viewer/2022042106/5e85253ebf11813c4b5704f5/html5/thumbnails/57.jpg)
@iconews
This slideshow will restart shortly
Subscribe to our e-newsletter at www.ico.org.uk or find us on…
Data Protection Practitioners’ Conference 2018 #DPPC2018