Introduction to GDPR and Consent: A 5 Part Series

Author: Clarip’s Chief Privacy Officer

Of all the prescriptive rules and seemingly odd concepts that are imposed on organizations courtesy of the GDPR, consent is one that garners a higher than average share of confusion and misinterpretation. Presumably this perplexity stems from the expectation, especially for many US based entities, that they have a general understanding of consent and how to obtain it from consumers. That expectation does not match the reality of consent requirements in the context of GDPR. As a result, businesses may tend to be over reliant on consent and even worse, they are not fully cognizant of the many hoops they will need to jump through if their consent is to be feasible and compliant. In the process, they may end up without a lawful basis for processing—an immediate violation of law and a big “no no” in the EU law. And worse, given the GDPR’s required diligence for controllers and processors, business operations can come to a quick halt if your vendors and partners cannot be assured that you have implemented an appropriate basis for lawful processing in line with GDPR.

Even before GDPR, EU member state laws had very concrete requirements and limitations on the notion of individual consent. So the question that often comes up is what exactly is different now post GDPR and what the new does the regulation require for consent to be appropriate and effective? Lastly, we can’t completely forget that the ePrivacy regulation is also in play and should presumably have consistent mandates around consent.
In this Five Part Series on consent, we break down the many intricacies of consent and lay out the controls you’ll want to implement when you use consent as a lawful basis of processing. We’ll give you an overview of relevant sections, in the recitals and body of articles in GDPR, where you can directly reference consent language and we’ll add in some examples and practical steps along the way to enable valid use of consent and actions you’ll want to take and those you’ll want to avoid, to make your consent mechanism reliable and feasible.

Of course, consent is only one of six lawful bases for data processing under Article 6, so if consent does not fit your proposed data usage needs there are other options and in fact, in many instances, far better options. Finally, keep in mind that only one lawful basis will apply for a processing activity. So it’s vital that you choose the most appropriate lawful basis as you cannot take aspects of different options and declare that two or more will apply. This will be an immediate red flag to the outside world and supervisory authorities (SA) that something is amiss.

Throughout the series, we will explore various facets of consent in the context of GDPR and show key features you’ll want to implement so that if consent is the appropriate means for lawful processing, you have a proper understanding of how to obtain it, document it and provide the associate rights incumbent with it.

In addition to this introduction to consent, the series topics will include:

1) What does consent really mean?
2) When can you rely on consent?
3) Which Data Subject Rights apply?
4) How should consent work?
5) Beyond GDPR, how to maximize the value of consent?

Interpretations of valid consent have not been tested through enforcement actions or SA inquiries so how we apply the facets of consent may be a work in progress. Nevertheless, we do have official guidance from the Article 29 Working Party (Art. 29 WP) so there is plenty of detail between this guidance and the text of GDPR to know how to implement valid consent and equally important, where consent will NOT be valid.

More from Clarip:

Read the most recent posts on the Clarip Blog.

Learn more about the Clarip consent management platform.

Find more resources about GDPR, data privacy and the future ePrivacy Regulation.