GDPR and consent

Posted by rmt22 at May 01, 2018 01:55 PM |
Consent is one of the range of lawful basis for processing personal data under GDPR.

It is anticipated that the University will only use consent as a lawful basis (other than ethical consent) in a minority of cases. When considering using consent you should ensure all appropriate factors have been taken in account

Consent is one of the range of lawful basis for processing personal data under GDPR. Consent is not a new consideration and has been a key part of the existing Data Protection Act 1998.

GDPR introduces a number of changes around how consent should be used and managed. These include new requirements to ensure that consent is freely given, informed and involving a clear indication of agreement. We must also ensure that individuals give a clear affirmative action to give their consent and to no longer use pre-ticked boxes or opt-outs.

In the context of the University consent will not be the appropriate lawful basis for processing personal data in most cases. Typically consent will only be used in cases where the individual has a genuine free choice to provide you with their information (examples include consenting to be photographed or joining a mailing list).

There are often misconceptions around the use of consent as a lawful basis for information collected as part of a research project. In the majority of cases the University will process this data under our ‘public task’ (our classification as a public body and research institution) rather than consent. This does not negate the need to obtain consent as part of our common law duty of confidence to individuals and the requirement for informed consent of a research subject. Explicit consent is also often required as an additional condition to allow the processing of special category (formerly known as sensitive) personal data.

If consent is being used then you must ensure that it is appropriately documented. This includes having clearly phrased consent forms and linking these to privacy notices which explain how an individual’s data will be used.

If you have previously processed data under consent then you will need to review this. This is because it is unlikely that that previous consent would meet the requirements of GDPR. If your existing consent no longer meets the GDPR standard then you should: seek fresh GDPR compliant consent; identify a different lawful basis; or cease the processing.

A quick guide with all the key information that you need to know has been created and can be accessed at the following link.

Further information

Everyone can play their part in preparing for the GDPR. Please read our guide on the simple things that everyone can start Doing to help prepare for GDPR on our GDPR pages.

Don’t forget to complete the University’s mandatory e-learning on information security which can be accessed via Blackboard here.

GDPR Drop in surgeries are also being run on the following dates, please come along with a question about GDPR:

  • Thursday 10 May 11am-12noon
  • Friday 18 May 11am-12noon

Please note these are short surgeries to ask questions not a formal training course.

Share this page: