By Scott Sammons 
I recently took part in an ‘Information Awareness’ week for a local council. This was an event for council staff involving various training sessions revolving around a certain theme. Last year the sessions were on the theme of game shows and this year the theme was films.
I was lucky enough to draw the session title ‘Per-mission Impossible’ which would be looking at the subject of consent and permissions in their various forms. I make a point of not naming organisations I work with but credit for the title of this blog must go to them.
We had some really interesting discussions around what people believe are the current pitfalls and benefits with consent and what people think of the new world of consent as proposed by the European Union (EU) in their Data Protection Regulation.
We started with the current world and looked at the guidance from the Information Commissioner’s Office (ICO). Their Guide to Data Protection states;
“Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as: …any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
This is primarily aimed at Data Controllers who are looking to use consent as a justification for the processing of personal data especially, and more explicitly, where that data is sensitive in nature.
Bearing this in mind there is then a conversation to be had around what that actually means in the real world. You know, that world where you have a Data Subject on the phone or sat in front of you more interested in resolving their query or issue than understanding what is happening with their personal data. Personally I’ve always seen the matter of consents and permissions as a customer service issue. Yes, there are things that we must do as part of compliance and demonstrate as part of our compliance. However the method and delivery should very much be aligned with the customer service standards and processes of the organisation. As the phrase goes “tax doesn’t have to be taxing.” Well “permissions don’t have to be a mission”. (I know, it was the best I could come up with on short notice!).
If you treat the gaining and subsequent management of permissions as a “compliance task” then that mind-set will be to always see it as a nightmare and a hurdle to overcome. However if you approach it as you would any other aspect of customer service and apply good customer service principles, you will get much closer to a compliant permissions model. It also puts you in something of a good position for the future.
Another aspect of the discussion around permissions and consent management involves the question of how to effectively manage a consent or permission regardless of the channel in which it is being obtained.
Regardless of the channel in which you communicate with the Data Subject, the only effective method for tracking consents/permissions is an electronic database that either forms part of or interacts with your main customer database. But with that comes a series of concerns around ensuring that this system is kept relevant and up to date. For example, in a large organisation where a customer speaks to some random part of the organisation and expresses a preference how do you ensure that the preference is captured and updated accordingly throughout the organisation?
These are important discussions to be had now because, as I run through below, the requirement to effectively and clearly demonstrate that you are doing the above becomes more important when the proposed EU Data Protection Regulation comes into force.
Permissions of the Future: All roads lead to explicit…?
So in my last blog post I gave an update on the General Data Protection Regulation and said that I’d start to focus on individual parts. Well this is the first one (and apologies that it’s taken me a while).
In the Commission’s proposal for a new General Data Protection Regulation, it proposed that whenever a business relies on consent as a valid ground for processing personal data, that consent should be ‘explicitly’ given. This changes the current position where consent only needs to be ‘explicit’ where a business wants to rely on it as a basis for processing sensitive personal data. Put simply, for processing for marketing purposes for example (which is almost always on the basis of consent) everyone will be required to “opt in” rather than opt out under the current regime (for phone and post at least). [References: European Commission Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1-4)]
When the draft text made it through the European Parliament, the Parliament gave its backing to the new definition of ‘consent’ suggested by the Commission. It too believed that consent needs to be “freely given specific, informed and explicit” and provided “either by a statement or by a clear affirmative action”. And, in contrast to today’s requirements, the burden of demonstrating that the legal standard of ‘consent’ has been achieved would lie with organisations. [References: European Parliament Regulation Text CH I ART 4: General Provisions – definitions (8), CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (2)]
In contrast, the Council said there was broad support for rules which would require organisations seeking to rely on consent to process personal data to ensure that the consent is “unambiguous”. This seems to back the broad legal standard for consent that exists under current EU data protection laws and not a radical change to explicit consent regardless of context. [References: European Council Regulation Text Comparison (so far) CH I ART 4: General Provisions – definitions, CH II ART 6: Principles – lawfulness of processing (a), CH II ART 7: Principles – Conditions for consent (1)]
This post does not explore the requirements around children’s data. However the principle of “informed and explicit” consent is replicated there. This will be the subject of a different post so watch this space.
Which of these texts is likely to survive, I hear you ask? Well like most things in the world of politics that is unclear. However, if you look at it from a numbers point of view then 2 of the 3 approving bodies favour explicit consent and a requirement to demonstrate when and where that consent was collected. If I was a betting man I’d say that some shift towards explicit consent is going to happen, but how far is anybody’s guess.
More importantly organisations should be looking at how they currently manage and capture consents. If this is something that they don’t do (for whatever reason) then it’s time to start looking at how this can be factored into processes and staff trained so it gets woven into customer service standards.
Scott Sammons an Information Risk and Security Officer in the medico-legal sector and blogs under the name @privacyminion. He is on the Exam Board for the Act Now Data Protection Practitioner Certificate.
Want to know more about the EU Data Protection Regulation? Attend our full day workshop: http://www.actnow.org.uk/courses/1540
5 thoughts on “Permission Impossible? Consent and the new EU Data Protection Regulation”