To consent or not to consent

Hi all

Well it's been a good week business wise, I've been helping a company with ISO 9001 implementation, a long standing company that have had quality management in place for 10 years, it was good to see them again and always a pleasure to support my client. I've also been helping Disclosure Services with their GDPR and ISO 27001 requirements also. This company have a long standing history of implementing standards and have been in business since 2002, they are organised, focused and very much aware of the continuing trend of addressing data protection - which is a good thing. In this day and age it is good to focus on continual improvement and the application of the GDPR is an ongoing task.

The General Data Protection Regulation is an excellent piece of legislation, it puts the rights and freedoms of the data subject first, which can only be right and it also asks that to process personal data you get consent, one of the many requirements of the GDPR.

Processing personal data is not always based on consent, consent is one of a few legal ways to process data, but not the sole lawful basis, the lawful bases are in Article 6, Lawfulness of processing. For the purposes of this blog we will focus on consent.

Not all data sharing is unlawful if not consented to, for instance your doctors (the NHS) may share your data for your own safety, sharing it with other agencies to keep you safe, they do not need your permission to do this of course, life saving is vital, that's why information can be shared, to protect you. This is where this lawful basis applies: processing is necessary in order to protect the vital interests of the data subject. Not many organisations can use this as an excuse for processing data unless it's for health reasons. Personnel departments of the people we work for need to know if you have any health issues, to protect you. This information is special or sensitive and should be treated with the utmost respect and confidence.

So, what is consent? Consent is where a data subject (human being) expressly permits that their data can be processed, there may be a few ways of addressing this, the main one being ticking a box that says 'I give my consent for my data to be processed in a manner suitable for the purposes of the processing' or something like that. This could come from many places, doctors surgeries, dentists, Google, Facebook, Twitter accounts, supermarkets and many more. The trouble occurs when we give our details to companies or organisations and they share that data with third parties - i.e. with others, maybe sharing it with companies who you do not wish to share your data with.

If ever you give your personal details (personal data) out to organisations, you should read their privacy policy, this will set out your rights and also tell you who the data gets shared with. And it is this which people often overlook. Data then gets shared with other third parties and those third parties contact you, without your express consent. Consent is very often not given by people for sharing their data with third parties, or so they believe. You see, what happens is we sign up to services, both online and off, we give our personal data and expect it to be treated confidentially. Some companies hide what they do with your data, buried within some policy that you either did not read or did not understand. This is where the dangers lie. Just what are we consenting to? In a lot of cases people consent to the sharing of their data without their knowledge, a lot of policies are overlooked and so people don't go through the details of the policy they are signing up to.

What can then happen is that these large organisations sell your data and share it with others for the purposes of business. With the companies I help I often ask if they use marketing lists? Marketing lists are bought by companies from other companies and people selling data. What I then ask is have they had consent from the data subject to access that data and did the company selling it get consent and when? This is the danger of buying marketing lists, people have signed up to a list without even knowing. Let's say you go to a convention and someone takes your details, they then tell you that it's for further contact, promotions etc. They rarely say that they will sell your data - and this is not what you give consent for.

When giving out your data you should be aware that it could be shared and used to contact you with products and services that you neither want nor have any intention of buying. Treat your data as part of you, it is highly personal, often sensitive and confidential information which you should rightly guard.

The GDPR gives us (data subjects) protection, you can use the GDPR to your advantage if your ever challenge a business. You can ask them what data they hold about you and what they are doing with it? You can ask when they got your consent and you can also ask them to permanently delete the information should you so wish, they have to comply with these demands. It's a called a subject access request in data protection terms.

Be careful what you sign up to, read the privacy policies, terms and conditions etc before sharing your data, or else it could get into the wrong hands.

Best regards


Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.