Consent & The Right to be Forgotten: How will the GDPR affect data capture?

First published September 2016
When the EU’s new General Data Protection Regulation comes into full effect and enforcement in May 2018, businesses both in Europe and those who engage with European customers will face sweeping new requirements on data capture and data erasure.

The GDPR will dramatically change the rights of the data subject and how data will be processed. Does your business have a strategy in place to avoid breaching the new regulations?

Getting consent for data capture

Perhaps the largest initial impact will be felt in regards to how your company will be able to capture data lawfully with this new legislation. Data capture is an integral part of almost every – if not all – marketing strategies for businesses of all shapes and sizes. However, the GDPR places strong requirements on what exactly ‘consent’ means with regards to data capture.

Whilst the general idea of getting consent from users remains intact, the GDPR adds new restrictions as to how this consent can be sought and achieved. Although it stops just short of requiring full and explicit consent, the legislation certainly leans more in favour of this side of the spectrum, indicating that consent can only be given through “a statement or a clear affirmative action.”

Specifically, recital (32) states:

• Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her…

Each time you request data, consent is required too, in particular if you plan to process that data for different purposes. A single consent does not cover all instances of data capture, and explanations of planned data processes must be given when requesting consent in order to comply with GDPR regulations.

The new legislation also adds further requirements of parental authorisation for data capture concerning children under the age of 13, whilst special categories of personal data – such as ethnic origin, religious beliefs, political affiliations, medical information and sexual orientation – will all require further explicit consent.

What will you have to change?

With the GDPR, businesses will no longer be able to rely on opt-out processes or implicit consent. Under the eyes of the law, inaction on the part of a user does not assume consent to their data being captured.

In fact, the legislation specifically refers to this, describing how “silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

For companies, this might mean an overhaul of sign up forms and the whole process of data capture in your business. Clear, plain language needs to be used every time you are requesting data from your customers, which is simple to access, simple to read and simple to understand. This includes an explanation of how you will lawfully process their data.

How you actually gain that consent is still open to interpretation, but could include:

• A written statement – including by electronic means
• An oral statement
• The ticking of a box on a website
• Choosing technical settings for information society services

This last option given in the GDPR could see the use of cookies and tracking technology remaining intact, as it’s open to wide interpretation. However, it’s also worth noting that unless data processing is required for a specific service, businesses cannot supply or deny this service to users based upon the need to consent to data capture.

As an extreme example, that would mean you couldn’t stop a user from reading content on a website page unless they consented to data capture of their personal details.

It’s important to also remember that consent should be verifiable, so data controllers will need to keep detailed records to prove a user has ‘opted-in’ and consented.

If you already have consent for data capture based on previous EU directives, you won’t need to re-seek this consent as long as it meets the new requirements laid out in the GDPR.

Given these sweeping changes, it’s likely that businesses will need to conduct a full review of their data capture mechanisms and electronic content management systems in order to ensure compliance. To stay on the right side of the law, companies will need to:

• Get valid consent for use of any personal data, with an affirmative act by the subject
• Explain how and why data will be processed in any given circumstance
• Re-obtain consent if the processing methods change or use of that data alters
• Provide records of consent and access to the data that has been captured upon request

Withdrawing consent and the right to be forgotten

As well as new requirements on gaining consent for data capture and processing, the GDPR also makes it clear that consent can be withdrawn and revoked at any time.

Originally known as the ‘right to be forgotten’, broadly speaking this principle dictates that an individual can request for their data to be removed or deleted when there is no compelling reason for a business to continue processing that information. Though initially more absolute, the GDPR legislation has been watered down and termed ‘the right to erasure.’

Entrenched in Article 17 of the GDPR, the right to erasure states that in certain circumstances, an individual can submit a request to the data controller to have personal information erased or to prevent further processing of that data. The right to erasure applies when:

• The personal data is no longer necessary or relevant in relation to the purpose for which it was original collected
• The individual specifically withdraws consent to processing (and if there is no other justification or legitimate interest for continued processing)
• Personal data has been unlawfully processed, in breach of the GDPR
• The data must be erased in order for a controller to comply with legal obligations (for example, the deletion of certain data after a set period of time)

If one of the above conditions applies under this right to erasure, it is the responsibility of the data controller to delete and remove the data ‘without undue delay’ and specifically within a month unless specific circumstances apply.

In instances where personal data has been shared with other third parties or made available in the public domain, the GDPR states that it is the data controller’s responsibility to take ‘all reasonable steps’ to inform other outlets of the request for erasure and require them to comply with deletion or removal.

However, what those ‘reasonable steps’ are is ambiguous and open to interpretation. It will depend on available technology and the cost of implementation. If data has been made public for example, it could be extremely difficult to identify and inform additional data controllers and impossible to trace all its current uses.

Complying with and balancing the right to erasure

Despite the reach of the GDPR, it does note that the right to erasure isn’t absolute and nor is it unlimited. The removal or deletion of data, and that aforementioned ‘right to be forgotten’ needs to be balanced against freedom of information and the public interest.

The exceptions to the right to erasure and reasons to refuse to comply include:

• The right of freedom of expression and information
• Compliance with legal obligations or official authorities
• Public health reasons or the performance of a public interest task
• Archiving purposes in the public interest, scientific research, historic research or statistical analysis
• If needed for the exercise or defence of legal claims

In some cases, the restriction of personal data may be more applicable, and this could be used an alternative option to erasure or in circumstances where data must be held in limbo pending legal challenges.

The biggest challenge concerning the right to erasure is that the onus is on controllers to weigh up this request with other competing rights and interests. In effect, data controllers will be required to be judge and jury, with any mishandling of requests sitting on their shoulders.

Preparing for the effects of GDPR

The key for businesses is to review all data capture and processes now, before the new GDPR legislation comes into full force, in order to allow time to make any required changes.

Consent for data needs to be bullet proof to avoid any legal challenges and non-compliance. Staff also needs to be well trained to identify requests for the ‘right to erasure’ and deal with them appropriately.

New systems and processes may need to be put in place, whilst data controllers need to constantly keep an eye on the new legislation and exemptions made by Member States of the EU.

Different sectors will be affected in different ways, so much research will be required along with a significant ‘bedding in’ period, before the full ramifications of the GDPR on data capture are clear.

Is your business ready for the GDPR? Take a look at our resources for all the information you need to prepare for the new regulations.