Do you really need
to ask for consent?

In the post-GDPR world, organisations are required to be more transparent about the ‘purposes’ they collect and use our personal data for. If necessary, they are expected to obtain our consent to use that information. Consent, however, is not always required.

I recently found myself looking for a new energy supplier and stumbled upon one which was highly recommended and gave me a very competitive quote. With the decision to switch made, I duly completed their form and as usual, at the bottom of the page, there was a ‘terms and conditions’ section.

I’ve screen grabbed it here.

So what’s the problem? Looks pretty standard, doesn’t it?

The second tick box most of us will have come to expect. We've grown used to being presented with terms and conditions to read, only to quickly click the accept button or, as in this case, tick the box without actually reading them!

It was however the first tick box though that drew my attention.

Why was I being asked to give consent for the processing of my personal data to fulfil my energy contract? It did not make sense to me to be asked for consent to fulfil a contract as these are two distinctly separate lawful bases of processing. Both could work, but one is unnecessary and inappropriate.

What's all this about consent then?

In the run up to the General Data Protection Regulation (GDPR) becoming enforceable on the 25th May 2018, there was a lot of misinformation about organisations needing to obtain consent to process personal data. This was - and still is - incorrect. There are six lawful bases under which organisations are lawfully allowed to collect and process personal data. Consent is just one.

The GDPR also introduced a concept of defined purposes and layered consent. This means that where an organisation may have multiple purposes, such as supplying a service and marketing, they should choose the most appropriate lawful basis for each purpose and obtain consent only where it is needed. This approach is designed to stop organisations collecting personal data for one purpose and later deciding to use it for another purpose that the individual may not have wanted or expected.

Ultimately, consent should only be used as a lawful basis where you can genuinely offer the individuals control over how their data is used. If a genuine choice cannot be offered, or consent is a precondition of a service, consent is not likely to be an appropriate lawful basis for that processing purpose.

So why is the above example not a valid consent?

Official guidance from the Information Commissioners Office tells us that consent should not generally be a precondition of signing up to a service. In this example, the consent is not only preconditional, it is required for service.

Also, because consent is required, it is no longer a ’free choice’. I cannot choose to deny consent and still receive the service. Therefore, I would feel compelled to consent in order to receive the service I am signing up for.

Finally, within the organisation’s Privacy Policy, they state that they ask for consent to process my sensitive data, and state "we’ll give you the chance to choose whether you’d be happy for {bleeeeeeeeep} to contact you with marketing information". Neither of these purposes are identified at the point of collection and no tick boxes are provided to gather these consents. Should the organisation use my personal data for either of these purposes, that would be in breach of the GDPR.

How should it have been done?

There's no better way to explain this than the old phrase "getting your ducks in a row".

The GDPR expects us to have mapped out and fully understood how the data we collect will flow through our business in a sequential fashion. We need to understand what we are collecting, why we are doing it, how it will be used and what makes it necessary. Only then can we decide upon which lawful basis is most appropriate for that "purpose". Where consent is required, we are expected to layer it, only asking for it where it is necessary.

Let me walk through the entire process of this energy supply scenario from initial quote through to the provision of service and further marketing.

1. Prospect visits website. Address details and energy usage obtained in order to provide a quotation

The individual is seeking to enter into a contract of service. They willingly and freely give the information and there is an expectation for it to be processed to provide a quote.
Consent is not required. Processing is necessary to provide the quote, and this constitutes the "negotiation of a contract", therefore Performance of a Contract is most appropriate lawful basis.

2. Prospect accepts quote and signs up as a new customer.

The individual has now expressed an explicit desire to enter into a new contract of service. They willingly and freely give the information and there is an expectation for it to be processed to facilitate that service.

Consent is not required as it is both necessary, and expected, to process the information to facilitate the contract of service. Performance of a Contract is therefore the most appropriate lawful basis.

3. The customer is a "vulnerable" person and wishes to be recorded on our vulnerable person's list. In the event of an issue with service, person's on this list will be prioritised.

This is a direct request from the customer to be included on this list. The list itself if not "necessary" for the delivery of service, but it is an enhancement to service.

This by it's very nature is the classic definition of Consent. The customer is being given a choice to be included on the vulnerable person's list, therefore Consent is the most appropriate lawful basis.

This is not to say that another basis such as "Legitimate Interest" could not be used, as, it could be seen as in the Legitimate Interest of the customer to be included on the list.

4. The company wishes to use the information on it's customers to market other products and services that it can offer.

The use of the information in this way, without an explicit "Opt In" consent for Marketing would be unlawful. There may be a few reader's now shouting out about the "Soft Opt In" which allows the use of existing customer data for marketing, however, this only applies if the customer was given the opportunity to opt out, at the point the data was collected (and this may disappear with the new ePrivacy Regulation currently working its way through the EU system).

Consent is nearly always going to be the cleanest, easiest and most robust lawful basis for marketing.

So, if Xynics were the energy supplier, our sign-up form would look something like this;

Want to know more?

The Information Commissioners Office provide some excellent guidance on the "Lawful basis for processing" here.

If you would like to talk to Xynics about your Lawful Bases of Processing or any other Privacy & Data Protection matter, complete the form here and one of our team will get in touch.

Please keep me updated with the with the latest Data Compliance news & events
I agree to GDPR Terms & Conditions