The practicalities of the GDPR: breach notification, consent

As the GDPR hurtles towards us, our picture of how it will play out in practice gradually becomes clearer, aided by case studies of practices elsewhere, and guidance from regulators such as the ICO. Here are some observations on two important aspects of life under the GDPR.

Data breach notifications: expect a deluge

As diligent data controllers will be well aware, the GDPR contains some alarming consequences. Take data breaches, for example. There will be a duty swiftly to notify the data protection authority (in the UK, the ICO) of any data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (Article 33(1)).

Interestingly, the Dutch law is one step ahead: mandatory breach notification was introduced in January 2016. In that calendar year, almost 5,500 breaches were notified.

Recall also the size of potential fines (depending on the type of contravention, up to €20 million or 4% of annual global turnover, whichever is the greater). Data breaches are serious matters now, but their significance under the GDPR will skyrocket.

Consent: draft ICO guidance

But leave aside for the moment the nightmare scenario of when things go wrong. The GDPR contains challenges which go to the heart of many business models (in private, public and third sectors). If your business involves processing personal data, you need to ensure that, among other things, you satisfy one of the conditions in Article 6. In other words, you need to be able to demonstrate that you have a good justification for doing what you do with people’s personal data.

One of the most prominent and important of those conditions is consent. Many business models currently work on the basis of opt-out consent: ‘I am allowed to process personal data in this way because nobody unticked the box’. The GDPR kills that off. Consent is defined in Article 4 GDPR as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

What exactly does this require? This question is addressed head-on and with plenty of practical detail in the ICO’s draft guidance on consent under the GDPR. It was published last week and is out for consultation – responses need to be in by 31 March. Here are some points to note.

“Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default”.

In order for consent to be “specific and informed”, you will need to specify the identity of the data controller, the purposes of the processing, the types of activity involved and the right to withdraw consent.

The ICO urges data controllers to be “specific and granular” (which implies a level of detail) – but also “clear and concise” (not too much detail; avoid losing the wood for the trees etc). “You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents”.

Consent will also need to be refreshed, particularly if your processing purposes or activities change: “Consent will not be specific enough if details change – there is no such thing as ‘evolving’ consent”.

The GDPR also retains the distinct concept of “explicit consent” (for medical information, for example): how is this different from the very demanding ‘ordinary’ consent under the GDPR? “Explicit consent is not defined in the GDPR, but is not likely to be very different from the usual high standard of consent. All consent must involve a specific, informed and unambiguous indication of the individual’s wishes. The key difference is likely to be that ‘explicit’ consent must be affirmed in a clear statement (whether oral or written)”.

The ICO very fairly recognises that consent is not the be-all and end-all (i.e. there are other grounds on which you can justify your processing of personal data) and that it will often be difficult to secure valid consent in practice. The ICO suggests that if you are in doubt about the validity of your consents, you should probably look for another justification. It adds that “if you cannot offer a genuine choice, consent is not appropriate”.

It is difficult to offer genuine choice if the individual is in some way beholden to you. Therefore, “public authorities and employers will find using consent difficult”.

Public authorities may feel particularly hard pressed: the GDPR makes consent difficult for them, and at the same time it removes the “legitimate interests” condition (at least when it comes to their public tasks). Never fear: Scylla and Charybdis can be navigated, with care.

For more insight, delve into the ICO’s draft guidance, and come to the 11KBW Information Law seminar on 27 March.

Robin Hopkins @hopkinsrobin