All data processing activity must meet one or more predefined conditions for processing to be fair and lawful. The Data Protection Act 1998 set out the conditions in schedule two and largely similar conditions made the jump to GDPR Article 6.
Before GDPR, the conditions for lawful processing were misinterpreted in the HR sector and consent to HR processing was hard wired into employment contracts. This misguided view gained such traction that, prior to GDPR, most employment contracts contained widely worded consent clause along the lines of “agreement is irrevocably given to the use of personal data including sensitive data for whatever purpose the company in its absolute discretion may decide”. That type of consent clause is not going to be effective under GDPR.
Advice from the Information Commissioner has been generally against relying on consent as grounds for lawful processing pointing out that consent should be freely given, without duress on the consenting party which makes it difficult to rely on in the context of employment, for example, where the parties to the contract have unequal bargaining power. The point is also made that consent should be revocable, which can leave the controller without lawful grounds for processing the data.
Under GDPR consent is even more unappealing as a grounds for lawful processing in many situations. It underlines the weaknesses of relying on consent. GDPR states that consent should be a freely given, unambiguous, revocable, positive indication of agreement.
Often consent is relied on out of either laziness or inability to correctly identify the correct grounds for lawful processing. This is probably because the need to meet a lawful condition for processing was largely ignored in practice until GDPR made it a mandatory piece of information to be included in Privacy Notices. There is probably still a lot of fallout to come in respect of specifying the wrong conditions in Privacy Notices. The ICO position is that if a controller has relied on consent it will not be able to switch to another condition if the data subject tries to revoke consent.
This can be a disaster. In a real life example a landlord agreed that a tenant’s personal data would not be shared with third parties, effectively relying on the tenant’s consent to those aspects of data processing requiring input from third parties. The landlord did not have a registered gas fitter on staff and had to outsource the task of making annual checks on the safety of gas equipment to a third party. The tenant objected leaving the landlord in a difficult position. Carrying out gas safety checks is a statutory obligation on the controller and the right to refuse to allow data sharing to facilitate that should not have been in the tenant’s gift. The appropriate grounds for lawful processing of tenant data when carrying out a statutory safety check is not consent, it is to meet a legal obligation on the controller landlord.
Also bear in mind that subject rights under GDPR apply more often in relation to processing based on consent than on the other conditions for lawful processing. A data subject can exercise the right to be forgotten in relation to his or her personal data that is processed based on consent. The ICO is unlikely to uphold the controller’s position allowing it to decline to delete the data on the grounds that it had incorrectly stated its basis for lawful processing.
In conclusion, it is important to spend time (or money) to correctly identify the grounds for lawful processing relied on by an organisation in relation to every aspect of data processing for every purpose. The lawful processing conditions have to be considered not just in relation to the primary purpose of the processing but in relation to activities that help the controller meet its objective, for example data sharing. Conditions for lawful processing need to be reviewed regularly to check that all the angles have been covered in the most appropriate terms. A record of regular review will also help to establish Accountability and offer a defence if a complaint or ICO investigation reveals inadequate choice of lawful processing conditions indicating an honest attempt to comply with the provisions of GDPR.