By the time this article goes to press, Guernsey will (hopefully) have published the its new draft Data Protection Law and are set to formally debate it in October, with Jersey to follow soon after. This should then mean there is a fresh drive towards implementation in many businesses ahead of the new law coming into force in May 2018, as we will then know how it will operate locally, rather than attempting to second guess based on what people in the UK are doing.
One of the key changes to the existing regime is going to be a much stricter definition of consent, which will require consent to be:
Clearly demonstrable – There must be an audit trail to show consent has actually been given.
Freely given – The data subjects must be able to refuse consent without detriment and/or there must not be a clear imbalance of bargaining power with the controller. In addition, it is unlikely to be acceptable if the performance of a contract (including the provision of a service) is made conditional upon the consent, which is not necessary for the performance.
Able to be withdrawn – The individual must be informed of their right to withdraw consent in advance, and the process for withdrawal must be as easy as that for giving consent.
Clearly distinguishable, intelligible and in clear and plain language – This is an additional requirement where consent is given in the contest of other matters, as will often be the case. For anyone who has actually read the GDPR which has 173 recitals of largely unintelligible legal jargon before the operative provisions even begin, the final requirement that consent should be in plain language is just a little ironic.
What does this mean in practice? Well for a start existing consents will need to be reviewed to understand if they remain valid. In the context of financial and professional services many businesses currently rely on the data protection clauses within their terms and conditions of business as the basis upon which consent has been given. However, for example, where that information is held on a marketing database, it is questionable now whether that would be considered “freely given” unless there is some other evidence of consent. Even more fundamentally, often the party signing the terms and conditions, and the individual on which you hold personal data are not even the same person, meaning that even under the current law you would not have valid consent.
The consequence of this new tighter approach on consent is that it will force businesses to consider whether there is a more appropriate basis on which personal data can be processed, such as the “legitimate interests” condition. Whilst this is certainly not a carte blanche to do whatever you want as it requires an assessment to be made considering the competing interests of those involved and information should be provided in the form of privacy notices, it will be the solution many turn to. For those that do, the key will be transparency and having in place good policies and procedures as to how assessments will be made. This process will without a doubt require an amount of effort for all businesses; in the long term this should be viewed as an investment. If you have any doubt how important the topic of data protection and security is, just ask Mossack Fonseca how their business is doing …