A roadmap to GDPR for US companies #2

In the previous post, we began a process of building the foundation for a roadmap to GDPR (General Data Protection Regulation) and its implications for US companies by outlining a blueprint to examine important aspects of the law.

For this post, we will focus on Consent as defined by GDPR and through examination of the law, we aim to continue building the roadmap one deep dive at a time.

We chose consent because it is a core tenant of GDPR and must be understood before proceeding on to other aspects of the law.

Our goal is to provide practical insights on case-by-case basis addressing three key elements:

• Look at the language in the law, and its significance for US companies
• Approaches to remediate
• Identify methodologies and technologies to support compliance

Let’s start our roadmap by taking a bird’s eye view of the landscape and current conditions.

Before proceeding into our deep dive into consent, let’s look at a few more terms associated with GDPR as defined by GDPR Info EU:

Consent: consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Personal Data: personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

EU Directive 95/46/EC (Directive): is the predecessor to GDPR. Adopted in 1995 for the Protection of Individuals with Regard to the Processing of Personal Data on the Free Movement of Such Data.

 

Background:

As of May 24, 2016, the General Data Protection Regulation (GDPR) 2016/679, which replaces EU Directive 95/46/EC as the principal legislation governing data privacy for EU citizens, has been officially in force. However, it will not enter into full force until May 25, 2018.

GDPR represents a substantial shift from previous regulations governing the privacy of data (i.e. Directive 95/46/EC), in that, it emphases not on where a business is physically located, but more on where the business activity occurs, more to the point, where does the data reside and where is it processed. Consequently, just about any organization doing business in the EU is affected.

In addition to monetary fines for non-compliance, the law has mechanisms in place that allow an EU member state to make certain violations criminally prosecutable.

 

Consideration of Consent:

Any conversation about consent should start with the following: it must be “freely given, specific, informed and unambiguous.”

Before going further, it’s worthy of mentioning some use cases where consent may not be applicable.

• Contractual agreement with an individual is in place
• If the law requires an organization to process user data
• Life-threatening events justify processing of user data
• Public interest by a public body
• Where there is a “legitimate reason”, and it does not cause harm to the data subject

As part of the debate over consent lawmakers gave considerable thought centered around how far the language would go in defining “unambiguous” consent, or would they insist on the higher standard of “explicit” consent. A compromise that allows “unambiguous” consent, while requiring such consent to be expressed “by a statement or by a clear affirmative action.”

“Silence, pre-ticked boxes or inactivity,” are insufficient to affirm consent under GDPR.

Affirmative action signifying consent can include ticking a box on a website, “choosing a technical setting for information society services,” or “another statement or conduct” that indicates an agreement to the processing of the subject’s data.

GDPR consent makes clear a data subject’s right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.” The right to withdrawal of consent is a separate topic covered in a future post.

• Controllers must inform data subjects of the right to withdraw before consent is given.
• Once consent is withdrawn, data subjects have the right to have their personal data erased and no longer used for processing.
• There is a presumption that consent is not given freely.
• GDPR also states that consent must be specific to each data processing operation.

Consent cannot be in the form of lengthy Terms of Service constructed to confuse the subject. GDPR will also disallow any suggestions for making consent-related decisions.

A data subject must provide specific, informed consent to the use of cookies or comparable tracking technology. Recital 66 of GDPR provides an exception where cookies are “strictly necessary for the legitimate purpose of enabling the use of a specific service requested by the subscriber or user.”

GDPR looks at certain types of data as “special categories of personal data, which requires explicit consent”, which are much the same as were defined in the previous Directive 95/46/EC, with one except, GDPR includes genetic/biometric data as part of the special category.

Special categories consist of 1) revealing racial or ethnic origin, 2) political opinions, 3) religious or philosophical beliefs, 4) trade-union membership, 5) genetic data, biometric data for the purpose uniquely identifying a natural person, and 6) natural person’s sex life or sexual orientation.

The standard for explicit consent will likely remain the same as under Directive 95/46/EC, which also required controllers to obtain explicit consent for processing special categories of personal data. Explicit consent is defined as: “where individuals are presented with a proposal to agree or disagree with a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing.” Therefore, the subjects conduct, or choice of browser settings probably will not be sufficient to meet this high bar.

Important to note that within constructs of GDPR consent, photographs and video clips qualify as biometric data, but only when they are processed “through a specific technical means allowing the unique identification or authentication of a natural person.”

GDPR will require parental consent for processing a child’s personal data. The law will limit children under the age of 16 years old to consent to data processing without parental authorization. There is also an additional requirement placed on the controller to make “reasonable efforts” to verify that a parent or guardian has provided appropriate consent. However, there is a provision law that may allow EU members state to lower the age in some cases to 13 years old.

It is the burden of the controller to demonstrate under GDPR that consent was obtained lawfully according to the principles above.

As we wrap up this discussion, we want to bring your attention to another important aspect of consent which we will cover in a future post, and that is, a data subjects’ the right to withdraw consent at any time and “it shall be as easy to withdraw consent as to give it.”

 

Recommendation:

• Identify which categories of data subjects you maintain within your business
• Verify if for lawfulness of processing you need consents for all processed personal data in all cases
• Review consents that you are currently collecting (specifically consents for specific types of personal data)
• Adjust current consents to new GDPR requirements
• Add GDPR complied consents for all categories of data subjects data which are not currently managed
• Register proper consents with relevant processing activities in your Processing Activity Register

If you need any assistance or have any questions regarding GDPR, don’t hesitate to contact us.

 

Authors:
D. Scott Clark, CPU-Group, LLC
Jacek Wróblewski, C&F

(1) C. (n.d.). Unprepared for GDPR? Retrieved July 23, 2017, from http://resources.compuware.com/unprepared-for-gdpr
(2) How to get ready for the GDPR – Capgemini Worldwide. (n.d.). Retrieved July 23, 2017