Complying with the law on data protection is not as easy as ‘click this box’ consent forms.

17 Jun

Complying with the law on data protection is not as easy as ‘click this box’ consent forms.

The free-for-all in data sale and collection will be cut abruptly short in two years, when all companies involved in data collection and processing will have to comply with the General Data Protection Regulation (GDPR).

The British version of the EU-mandated General Data Protection Regulation (GDPR) will apply from 25 May 2018 onwards. Although the GDPR was technically in force from 24 May 2016, EU member states have until 6 May 2018 to transpose it into their national law.

What has changed?

In addition to the requirements already in place under the Data Protection Act, companies will have additional responsibilities regarding minors. For example, they will need to get parental consent to collect children’s data.

And crucially, the privacy guidelines and terms and conditions will need to expand. Under the GDPR,  where individuals give consent to use of their data they must be informed of their right to withdraw this consent at any time. Where they are giving up sensitive data, this consent must be “explicit.”

Data controllers must be able to demonstrate that when consent was taken it was “freely given, specific, informed and unambiguous, shown either by a statement or a clear affirmative action which signifies agreement to the proceeding,” according to Article 4 of the GDPR.

Potential problems

There are some additional considerations from a compliance perspective which companies must factor into their privacy statement and terms and conditions. This paper by Allen and Overy (hyperlink) summarises the key issue.


‘The agreed text states that in assessing whether consent has been freely given, account shall be taken, for example, of whether the performance of a contract is made conditional on the consent to processing data that is not necessary to perform that contract.”

It points out that this could affect a number of e-commerce services. Simply requesting any additional ‘demographic’ information other than contact details will have to be justified. If creating a login to a site, or establishing a profile, is dependent on the individual’s stating, for example, if they prefer tea or coffee and if they are a custard cream or a chocolate digestive person, would not be permitted unless this information was relevant to their application.

If the privacy notice stated the organisation – say a PR firm – was trying to assess the applicant’s personality type and suitability for a job position, and had a legal basis for setting a series of seemingly random questions about their consumer preferences, that might be ok. If no explanation was made, say, and the website sold an unrelated product like hardware and home appliances, it would be assumed they were collecting the data to sell to a third party without the individual’s consent.

The fines for breaching the conditions of the GDPR could gouge out up to 4% of a company’s annual worldwide turnover, for major offences like those relating to international transfers, or the essential principles of processing like conditions for consent. This could affect your margin. Other specified breaches could exact a fine of up to 2% of annual global turnover.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: