The Information Commissioner. Elizabeth Denham, has again spoken to some of the myths that are circulating regarding the implementation of the GDPR in 2018 with the statement that “consent is not the silver bullet”. The commissioner is keen to emphasise the importance of consent but also to dispel the myth that this is the only way for an organisation to process data.
A great deal of attention is being placed on “consent” under GDPR and the new laws that apply to consent to such a degree that many businesses now believe that an organisation can only process data if it has explicit consent from the data subject to do so.
The Information Commissioner is keen to point out that whilst there are new rules and responsibilities regarding consent that consent itself is only one avenue for an organisation to comply with GDPR commenting;
The individual whom the personal data is about has consented to the processing.
The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
The processing is in accordance with the “legitimate interests” condition.
Elizabeth Denham was also keen to point out that whilst the European consent guidelines are not expected to be published until December 2017 the that ICO’s own draft guidelines on consent are an excellent place to start in ensuring that organisations are prepared for the implementation of GDPR.