GDPR and Consent: all you need to Know

Consent in the past has been considered to be quite a good option for charities to use if they want to ensure obviously that the clients that they’re working with have provided a consent to have their information recorded and also obviously in order to meet the legal obligations that the charity has to ensure that there is a justification if you like, where legal basis rather for collecting the information, new thoughts or recent tightening up, which is a lot of what GDPR compose is composed of suggests that consent is actually not a very good option anymore.


And the reason for that is that consent needs to be an act of free will fairly obviously. But in a lot of cases, obviously charities are providing services in exchange for it and that’s immediately problematic is the client or the person receiving the services isn’t in a neutral position or isn’t completely free to make a choice, particularly if they belong to a sort of vulnerable category or that they’re requiring services in order to alleviate some hardship or some problem that they’re experiencing.

If you can’t actually provide proper consent which nowadays means that granular level of consent, then you need to look at other legal bases upon which to collect your information.

With Consent, Do Companies Have All the Right to Access?

GDPR and Consent 1

If you’re going to go down the line of getting someone to sign a piece of paper and in effect to consent to their information being recorded, that you’re very specific with them. In terms of explaining what the information is used for and who has access to it. This can be particularly difficult when you’ve got a multi-agency monitoring system where lots of different organizations, users and using it for different sorts of purposes and you need to ensure that you do offer full granularity in terms of people being able to choose which organizations can or cannot access their information.

And maybe very good reasons why a particular person doesn’t want their information accessed by an organization. Due to some sort of past issue. In the past with the data protection act, it was more on the onus lies on the person, the client in order to provide justification why they wish to withdraw consent and why they wish to have their information removed. They had to provide evidence of extreme hardship caused by the collection of any sort of interest in or use of that information.

It’s reversed now quite rightly probably that the client now has a known rather than the organization has to provide very clear justification about why they wish to continue processing the information in the face of over withdrawn consent from the client. It’s really something to think about with consent that you have for the systems that you run and to consider whether it really is true consent. Because in the eyes of the information commission nowadays, the advent of GDPR, it’s fairly unlikely that it would be consent if you are offering services in exchange for that consent.