GDPR: When should you obtain consent?

Knowing how to obtain consent under the General Data Protection Regulation (GDPR) and when to do so might be challenging. Many individuals wrongly believe that organisations must obtain consent before processing personal data however, consent is simply one of six legal justifications, and you should only use it if all other options have been exhausted.

Other acceptable grounds include:  A contract with the person, such as one under which obligations under an employment contract must be fulfilled or goods or services must be provided as per their desire. When processing data for a certain purpose is required by law, compliance is required. Vital interests, such as protecting someone's physical integrity or life (either the data subject's or another person's), are examples of vital interests. An official function or duty that serves the public interest is an example of a public task. This often applies to public institutions including government agencies, educational institutions, hospitals, and the police.

Legitimate interests: When a private-sector organisation has a true and legitimate reason (including a financial profit) to process a person's personal data without their consent, provided that this reason does not exceed any detrimental consequences on the person's rights and freedoms. You need to be aware of your responsibilities since there may be circumstances in which permission is the most suitable legal basis.

Opt In vs Opt Out

The GDPR specifies conditions for legitimate requests for consent, but consent must also be given with a definite affirmative response. In other words, rather than pre-ticked boxes, people need a method that demands a deliberate decision to opt in. The ICO (Information Commissioner's Office) asserts that opt-out alternatives "are effectively the same as pre-ticked boxes, which are outlawed," even though the GDPR does not expressly forbid opt-out consent.

Examples of demands for valid consent include:

• Signing a consent statement on a paper form
• Clicking an opt-in button or link online
• Selecting from equally prominent yes/no options
• Choosing technical settings or preference dashboard settings
• Responding to an email requesting consent
• Answering yes to a clear oral consent request
• Volunteering optional information for a specific purpose (such as optional fields in a form)
• Dropping a business card into a box

The issue is that in order for a request for consent to be valid, the person must clearly take an affirmative action. Consent requests must not in any way rely on silence, passivity, default configurations, exploiting indifference or inertia, or default prejudice.

Problems with consent :  Because individuals now have more control over their data under the GDPR, relying on consent can be risky and time-consuming. For instance, you will need to obtain everyone's approval once more if you are processing personal data with their consent and later decide to use that data for a different purpose. You must delete from your files anyone who declines or doesn't respond.

Furthermore, people have the right to withdraw their consent at any moment, which once again requires you to delete them from your database. If you don't do this, the relevant supervisory authority may discipline your organisation.

Additionally, you may find yourself in a catch-22 situation if a data subject withdraws their consent and you later realize you are required by law to continue processing the data. In other words, you either fail to fulfil your legal obligation to handle the data or you are compelled to violate privacy law by processing the data after consent has been withdrawn.