GDPR Blog 06: Consent - What has changed from the DPA?
GDPR is a big subject that mainstream business across Europe, including the UK, are just starting to see on the radar despite the fact that it was announced in May 2016. Firms now have less than a year to get their houses in order and become compliant with the directive.
The new EU General Data Protection Regulation comes in to force in the UK on 25 May 2018 and contains many new obligations on such matters as data subject consent, data anonymisation, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few.
The issue of consent is seen as a key area of GDPR compliance for any organisation and here the regulations have introduced enhanced requirements with a key component being the change in consent to become an explicit decision to ‘opt in’ rather than relying on an implicit ‘opt out’.
Consent must be ‘freely given, specific, informed and unambiguous’. On web sites this requires such consent to be expressed ‘by a statement or by a clear affirmative action’. Such action signaling consent may include ticking a box on a website, ‘choosing technical settings for information society services’, or ‘another statement or conduct’ that clearly indicates assent to the processing. ‘Silence, pre-ticked boxes or inactivity’, however, is presumed inadequate to confer consent.
The GDPR includes three additional consent requirements:
First, the GDPR gives data subjects the right to withdraw consent at any time and ‘it shall be as easy to withdraw consent as to give it’. Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
Second, the GDPR adds a presumption that consent is not freely given if there is ‘a clear imbalance between the data subject and the controller, in particular where the controller is a public authority’. Importantly, a data controller may not make a service conditional upon consent, unless the processing is necessary for the service.
Third, the GDPR adds that consent must be specific to each data processing operation.
This enhanced level of consent is taken to even higher levels for special categories of personal data, for example data considered particularly sensitive in relation to ‘fundamental rights and freedoms’ and, therefore, ‘deserve specific protection’.
This include data ‘revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation’.
The GDPR requires parental consent for processing the personal data of children under the age of 16. The UK has said it will lower this age limit to 13 in line with the COPPA (Children's Online Privacy Protection) regulations currently in force in the U.S.
Explicit consent is required in two other circumstances; controllers need to obtain explicit consent to make decisions about the data subject ‘based solely on automated processing, including profiling’ and to authorise transfers of personal data to countries that do not provide an adequate level of protection, if no other transfer mechanism is in place.
The UK Information Commissioner’s Office has issued a guidance on the subject of GDPR consent.
The main points of which are:
- Individuals should be in genuine control of consent;
- Companies should check their existing consent practices and revise them if they do not meet the GDPR standard. Evidence of consent must be kept and reviewed regularly;
- The only way to adequately capture consent is through an opt-in;
- Explicit consent requires a very clear and granular statement;
- Consent requests should be separated from other terms and conditions. Companies should avoid making consent a precondition of service;
- Every third party who relies on the consent must be named;
- Individuals should be able to easily withdraw consent;
- Public authorities and employers may find using consent difficult. In cases where consent is too difficult, other lawful bases might be appropriate.
Once again, the list raises as many questions as it does answers so please check your understanding with an organisation that is an expert on the topic.
How can Oak Innovation help?
Ability to remove recordings for a specific customer phone number
The ability to remove specific customer records is crucial to compliance. Under GDPR regulations, a data subject has the right to have their personal data rectified or forgotten. Oak makes it easy to find and remove specific records.
All calls recorded on an Oak system are encrypted so they cannot be tampered with. Businesses are better protected from abuse, and in case of customer disagreements. stereo playback ensures perfect clarity as required by legal firms.
Store recordings for as long as you need
Oak systems can store a huge volume of recordings. Calls can be found using a wide range of criteria, for example, date, time, extension, CLI, DDI, telephone number, user defined flags or even customer reference if linked to a CRM system.