In detail

What role does consent play in the GDPR?

For processing to be lawful under the GDPR, you need to identify (and document) your lawful basis for the processing. There are six lawful bases listed in Article 6(1), and consent is one of them.

If you want to process special category (sensitive) personal data, you also need to apply one of the conditions in Article 9(2). ‘Explicit consent’ is one option for legitimising the use of special category data.

Consent can also legitimise restricted processing, and explicit consent can legitimise automated decision-making (including profiling), or overseas transfers by private-sector organisations in the absence of adequate safeguards.

If you rely on consent, this will affect individuals’ rights. For example, they will have the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability. Although individuals do not have the right to object where processing is based on consent, they do have the right to withdraw consent – which in effect operates as a right to stop the processing.

What are the benefits of getting consent right?

Basing your processing of personal data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable.

Getting this right should be seen as essential to good customer service: it will put people at the centre of the relationship, and can help build confidence and trust. This can enhance your reputation, improve levels of engagement and encourage use of new services and products. It’s one way to set yourself apart from the competition.

What are the penalties for getting it wrong?

Handling personal data badly – including relying on invalid or inappropriate consent – can erode trust in your organisation and damage your reputation. Individuals won’t want to engage with you if they think they cannot trust you with their data; you do things with it that they don’t understand, want or expect; or you make it difficult for them to control how it is used or shared.

It may also leave you open to substantial fines under the GDPR. Article 83(5)(a) states that infringements of the basic principles for processing personal data, including the conditions for consent, are subject to the highest tier of administrative fines. This could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.