Now that the EU General Data Protection Regulation (GDPR) is in force organizations are ramping up their efforts to re-fresh data subject consent obtained prior to GDPR and under the EU Data Protection Directive 95/46/EC by virtue of which opt-out, or implied consent was permissible.
There seems to be divergent opinions relating to the requirement to undertake re-permissioning of data subject consent under GDPR. Article 4(6) of GDPR makes it clear that if the basis for the collection of personally identifiable information is consent, as required under Article 6, then such consent must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes…by a clear affirmative action…”Accordingly, obtaining positive and affirmative consent is mandatory, otherwise data controllers and processors may be infringing upon data subject rights and may be subject to legal remedies, liabilities and penalties.
However, Recital 171 of the GDPR appears to obviate the need to obtain positive data subject consent by affirming that “ Where processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation…” This provision may give comfort to organizations who have made significant investments in building out their contact databases based on implied or opt-out consent as the basis for their collection.
But Recital 171 must be construed in the context of its qualifying part which requires that consent must be in line with the conditions of GDPR. In other words, if opt-out consent was the basis for prior collection then re-permissioning under GDPR is required.
Consent however is not the only basis for lawful processing under GDPR. Legitimate business interest is one of the six permissible basis for lawful processing. And, by virtue of Recital 47 of GDPR direct marketing may meet the legitimate business interest grounds for collecting and processing personal information subject to the following conditions:
- Pre-existing business relationship between data subject and controller and/or processor;
- Data subjects have a reasonable expectation of such a relationship with data controllers and/or processors; and
- The fundamental rights of the data subjects do not in “override the interest of the data controller…”
So, what are the practical implications of these divergent interpretations relating to re-permissioning?
Well, the answer seems to be the proverbial “it depends”.
If consent was not the original basis for collecting personal information then re-permissioning is not required under GDPR. For example, if collection and processing of personal information was necessary for the performance of a contract, or on the basis of legitimate business interest then there is no need to seek consent under GDPR. Keep in mind however that if further processing is contemplated which is not limited to the original collection purpose it is prudent to seek affirmative consent.
If, on the other hand consent was the initial basis for collecting personally identifiable information pre-GDPR, then a determination ought to be made as to:
- The method of consent originally obtained. If such consent was obtained on an opt-out basis, then re-permissioning is required in order to comply with GDPR;
- The current status of the contact. For example, was the contact turned into a customer following initial opt-out consent? If in the affirmative, then legitimate business interest may be a basis for continued processing of personal information without the need for re-permissioning, so long as such processing is limited to the purposes for which initial consent was obtained.
It goes without saying that it's incumbent on organizations to make a careful determination of the need for re-permissioning given the trade off between losing the ability to leverage investments in acquiring and nurturing contact databases or risking potential penalties and fines in the event of non-compliance with a more rigorous GDPR consent provisions.
About the author: Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).
Want to learn more about GDPR and overall Information Security? Get this FREE ebook, Information Privacy and Security.