Last updated: 
11 min 55 sec ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: A new kind of consent

Wednesday, April 19, 2017 - 09:40

While some have viewed the General Data Protection Regulation's approach to consent as merely adjusting the existing regime, the Information Commissioner's draft guidance suggests a more fundamental change: "a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away". In this it continues a long-standing view from the UK Commissioner that consent should probably be the last of the six available justifications to be considered, unlike other European countries where law or practice appear to consider it first. Indeed there's even a hint that consent should be reserved for an entirely different kind of data processing: that which isn't "necessary" but is done as a voluntary collaboration between data subject and data controller. As Chris Pounder has pointed out, where consent is used the data subject, not the data controller, must be in control.

Where processing is necessary, one of the other five justifications (contract, legal duty, vital interests, public function, legitimate interests) should be used. The guidance notes that one of the others must be used if "you would still process the data without consent". If an attempt to withdraw consent results in "we need to carry on processing" then the original consent was almost certainly invalid, and the misinformation when it was obtained is likely to make any other basis doubtful as well. Any situation where the data controller is "in a position of power" over the data subject is likely to render consent unreliable – employers and those exercising public authority need to look particularly carefully at the guidance on ensuring that consent is genuinely free.

That leaves consent to be used "when no other lawful basis applies", though it's clear that consent cannot cover all such circumstances. If no other basis applies and you can’t meet the requirements of consent, then it is likely that your processing has no legal basis and is therefore unlawful. Instead, consent should reflect a positive relationship between data controller and data subject, building trust to "encourage [data subjects] to trust you with more useful data". In that kind of relationship, meeting the requirements for valid consent should not be hard: if it is, then you should check whether this is really the right approach.

The guidance notes that the Regulation "sets high standards for consent" though it appears that when used properly, those standards should be a relatively natural result of the relationship. The guidance hints strongly that many current uses of "consent" are unlikely to meet those standards. Data controllers should review how they actually use personal data and fix any forms, notices, documents and processes to reflect the true legal basis. Where existing lists are found to have been gathered using a lower standard of consent, these are likely to need refreshing. Given the widespread use of consent under current data protection law, and the high fines for misusing it under the Regulation, this should probably be a high priority for action before May 2018.