Hello, my name is Chris, and welcome to this latest video in the Obsequio series of Data Protection for real humans. Today’s topic is exploring what consent under GDPR actually is, and breaking it down to make it easy to understand. We’ll start with the most pressing question, “What is Consent under GDPR?”
If you prefer to read, you can find the video transcript further down the page.
What is Consent under GDPR?
What do we mean when we say the word consent? It’s been bandied around a lot especially in the last couple of years, when talking about Data Protection, but do we know what it actually means?
When we are talking about consent, we’re talking about permission. We are talking about getting someone’s permission to do stuff with their data.
We are always doing things in life that relies on people’s permission, or their consent. For example you wouldn’t take someone’s car without their permission, or you wouldn’t take someone’s lunch without their permission and it’s no different in data protection.
Do you always need Consent under GDPR?
Consent under GDPR is about taking, storing, using or doing something with someone’s data with their permission. Now, of course, you don’t always need consent or permission in everyday life, let’s take the example of the police.
The police don’t need your permission to arrest you if you’ve done something wrong because they’re performing a public task. So, it would be wrong for them to try and get your permission to do that.
Another example is the HMRC. Unfortunately they don’t need your permission to tax you. That’s because they have a legal obligation to do it. They have a legal obligation to tax you.
There are valid reasons to take action without permission, and the same applies under GDPR. There are alternative legal basis to process data other than consent.
What is Informed Consent under GDPR?
So, now we’ve thought about what the word means let’s have a think about what we need to do to get someone’s consent.
I’m going to use the example I gave earlier about the car. You wouldn’t take someone’s car without their consent.
So, lets imagine that you’re the car owner. If someone came to you and said, “Can I take your car”’ I’d be very surprised if you just gave them an automatic “Yes”. You wouldn’t, would you?
You’d want to know a bit more about it. You’d want to know:
- Why they needed the car
- Where they’ll go with the car
- Who else will use the car
- How long they’ll need the car
All of these questions are default questions that you’ll think of when someone asks you a question like that, and again this is no different when we are talking about consent under the GDPR.
Instead of a car we are talking about someone’s data. So instead, the questions become:
- Why do you need my data?
- Where else will my data go?
- Who else will use my data?
- How long will you need my data for?
All of these questions are pivotal under the GDPR. If you don’t give someone the information they need up front, then they can’t make what’s called an informed decision.
No informed decision, no informed consent, and therefore any yes or no they give you won’t stand up if it was tested in a court of law. So, you need to make sure you have answered all those questions upfront and before the person makes a decision. Only then can they give you their informed consent.
How does Withdrawing Consent work under GDPR?
Let’s think about what other considerations we need to make when it comes to consent under the GDPR. We’re going to use that car example again because it works very nicely.
Let’s imagine now that you have answered all the questions. You’ve told the person why you need the car, where you are taking it, who else is going to drive it and how long you’re keeping it for and the person has agreed to let you have the car.
Now let’s remember, of course, that that car is not your car. You may well be using it at the time but it is their car, and because it is their car they can at any time turn around and say “Actually, I’d quite like my car back now please”.
That’s the same as withdrawing their consent. It’s someone saying I’ve changed my mind, for whatever reason it might be, and I don’t want you to have my data any more. I don’t want you to process my data under that reason any more.
As a Data Controller it is your responsibility to listen to their wishes and act accordingly. It’s your responsibility to stop using the car and give it back. It’s your responsibility to stop using their data and give it back to them.
Remember, at the end of the day, the car is not yours, the car is theirs. They have lent it to you for a particular reason and for a specific amount of time. It is your responsibility, while you have the car, to make sure it’s secure and to treat it respectfully.
Now this is exactly the same as data under the GDPR. You may hold the data, but it is their data and you have it temporarily for a certain reason and for a certain time period. While you have their data, it is your responsibility to make sure it is secure and to treat it respectfully.
Have questions? Get in touch.
So, I hope that gives you a brief insight into consent under GDPR. My name’s Chris Richardson and if you want to reach out to me then you can contact me through my LinkedIn profile, or through our contact page. I look forward to seeing you on the next mini video in our Data Protection for real humans series.