With GDPR, consent doesn’t equal compliance

By Craig Parsons, director, Persolvo

When we’re talking to clients about preparing for GDPR they often start the conversation with either fines or consent – areas which have given rise to some of the biggest myths around GDPR compliance.

Marketeers especially are concerned about consent because the bar for consent has been raised by GDPR.

Although the Data Protection Act has always required a clear, affirmative action to give consent, GDPR adds extra requirements for the consent to be valid, and detailed records must be kept.

Some businesses are so worried that they’re concentrating on ensuring they have consent but neglecting the rest of their GDPR compliance - often needlessly complicating their efforts.

GDPR says that you must have a lawful basis to process personal data, and it gives six lawful bases you can use to process the personal data.

Consent is just one of those, and it’s not always the appropriate one for you to use. The Information Commissioner’s own guidance on consent starts with: “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”

There are circumstances when you simply can’t use consent – because it has to be freely given. So you can’t, for example, process employee data on the basis of their consent. Instead, you’d need to identify Contractual or Legal Obligation as the basis. If you too are focusing on consent and neglecting the other factors in your GDPR compliance then contact us to bring much-needed clarity to your efforts.