GDPR: Cyber Security and the Law Team Up to Protect Data Privacy

Time and again, questions around the protection of data privacy force their way onto center stage. Not every data privacy problem involves a violation of consent. But when it does, the people affected—not to mention the interested government and regulatory bodies—are wont to register their displeasure in very public fashion.

Even in our increasingly digitized world, there’s an assumption held by many people that granting or withholding consent is one of the few remaining levers they can use to control their online exposure. What they’ve learned to their dismay is that’s not always the case.

Data privacy, and the role of consent, are about to step into the limelight once more—and in a very big way. The EU’s General Data Protection Regulation (GDPR) takes effect on May 25 and the way it characterizes consent could be a game-changer.

But just as not every data privacy violation involves a disregard for consent, companies will not need to rely on consent every time to ensure GDPR compliance. Under the GDPR, your company can lawfully process personal data so long as you adhere to one of six available legal bases. One of those is Consent.

Some companies will need to operate based on Consent while others won’t. It’s likely that businesses will exercise a mix of legal bases, and most will need to rely on Consent for some processing as a last resort.

If Consent is the legal base chosen for a certain personal data processing, the GDPR states that the individuals involved (“data subjects”) must give their consent unambiguously, separately from other terms and conditions, and via a clear affirmative action (opt-in). The GDPR requires they be told the purposes for which their data is collected, and requires separate consent for separate uses of the same data.

Most significantly, the GDPR gives individuals the specific right to withdraw consent at any time (and requires they be told about this right and be given an easy way to exercise it). “If individuals revoke consent, your company no longer has that legal basis for processing their personal data,” according to Ilias Chantzos, Senior Director of Symantec's Government Affairs programs for Europe, Middle East & Africa as well as the Asia Pacific and Japan. “Which tells us that Consent is the least desirable legal basis for processing because it can be revoked by the data subject any time, in other words, the company has no control over it.”

Also, from a company’s perspective, relying on Consent comes with certain data management burdens, including:

• Keeping a record of who’s given consent—and when, how, to what, and where it was given
• Periodically reviewing how personal data is being used—and, if anything changes, seeking fresh consent
• Creating a system for fully and quickly acting on consent withdrawals

As the UK Information Commissioner’s Office (ICO) own website states: “The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.”

The GDPR offers five other lawful bases for processing personal data:

• Contractual Necessity: Processing is necessary due to the fulfillment of a contract.
• Legal Obligation: Processing is necessary to comply with the law.
• Vital Interest: Processing is necessary to save or protect an individual’s life.
• Public Interest: Processing is necessary to fulfill a public interest in official functions. (Only applies to governmental agencies/entities.)
• Legitimate Interest: Processing is necessary to the legitimate interests of an organization or a third-party affiliate.

Although Consent is listed in the GDPR legislation as the first legal basis for processing, companies should rely on it only when every other basis is exhausted and not applicable. For instance, when it comes to marketing activities companies have no control over the wishes of their target audience. And for good reason - from a consumer point of view. As a matter of fact, one of the rationales behind the legislation is that too many companies have used - and abused -individual personal data for less than appropriate purposes.

The GDPR might succeed in bring that to an end, creating a fairer environment and leveling ‘tensions’ between the two camps.

If you found this information useful, you may also enjoy:

• Learn more at the Symantec GDPR microsite.
• 6 Things You Need to Know About the General Data Protection Regulation
• Q&A: Ilias Chantzos discusses the data ramifications of GDPR