<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

What to do when you receive a "Withdrawal of Consent" under the GDPR

Posted: 14 February 2018

What to do Withdrawal of Consent under GDPR

The GDPR (General Data Protection Regulation) is a complex beast, of which there seems to be an endless supply of regurgitated information online, in print and at various events. What is lacking however is practical information on how to handle its requirements operationally.

Take as an example, the humble withdrawal of consent for personal data processing. The notion of removing permission is clear, but what about questions such as whether that request can be denied, or how long you have to respond? This information is less than forthcoming or often buried in copied and pasted jargon.

5 Steps for Handling a Withdrawal of Consent

The conditions for consensual data processing in Article 7 require that consent is both easily given and withdrawn. On that basis organisations need to have a plan of action for when this takes place. Take a look at our sample step by step list below:

  1. Assess the withdrawal of consent notice and determine which data processing activity/workflow consent is being withdrawn from. You may have multiple data processing activities/workflows, each with their own or lawfulness basis.
  2. You may seek identification to ensure that you are interacting with the correct data subject. This should not be prohibitive and should not be used to defer the data subject for more time.
  3. Determine whether or not the processing activity in question is lawful on the basis of consent, it may be that processing is lawful on another basis such as a contractual obligation or legitimate interests. Processing due to a contractual obligation cannot have consent withdrawn as it is not consent which makes it lawful; likewise where processing is carried out because of a legitimate interest, no consent was given.

    • If the justification for lawful processing is the pursuant of legitimate interests, as it would likely be in the case of direct marketing, the data subject has a right to object to processing rather than withdrawal of consent. In the case of direct marketing, processing must cease unless the data controller can prove compelling grounds for its processing.
    • If the justification for processing is on the basis of consent, the withdrawal of consent removes the data controllers legality for continuing to use said data subject's personal data in that processing activity.
  4. Once processing for that data subject's personal data has ceased, you may need to enact the data subject's right to erasure. Where you have no further lawful basis to process a data subject's personal data, you are compelled to remove or delete it, as defined in article 17. There are a number of exemptions whereby the right to erasure can be avoided, such as:
    • Expressing the right of freedom of expression or information.
    • Where continued processing is the requirement of a contractual obligation the data controller is subject to.
    • Where processing is in the public interest.
    • Where processing is in the public interest in the case of public health.
    • Where processing is for achieving in the public interest.
    • Where processing is required for the establishment, exercise or defence of legal claims.
  5. Notify the data subject within a reasonable time. The withdrawal of consent, the right to object and the right to erasure are all non-specific when it comes to time for completion. However, this should not been seen as unreasonable and continued processing after withdrawal of consent or an objection should not affect the data subject in a negative way.

Note: The GDPR covers the processing of personal data whereas another regulation covers how you communicate with data subjects; the two activities are not always the same. This regulation is known as the PECR (Privacy and Electronic Communications Regulation) and is most famous for enforcing unsubscribe options on marketing emails. An unsubscribe from an email doesnt necessarily restrict your ability to process personal data, only your ability to communicate via email.

Data Subjects Might Not Always Be Correct

In the steps above, we demonstrated a clear difference between withdrawal of consent and the right to object. You may have also noticed that the right to erasure was a consequence of the two, rather than something which was directly requested. These nuances are often overlooked and will likely be misunderstood by data subjects too. It is important that you do not use this as a way to buy time or distract the data subject; it is your obligation as a data controller to be transparent and accommodating.

After all, data subjects or your customers and contacts will vote with their feet and their wallets when it comes to judging your "fairness" in handling their personal data. What may seem savvy business practice in your eyes, may be unwarranted and undesired in theirs.

Prepare for GDPR 11 step checklist

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by Chris Payne
Senior Technical Consultant, Infinigate UK
View LinkedIn profile

 

Share via:

    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts