The GDPR (General Data Protection Regulation) is a complex beast, of which there seems to be an endless supply of regurgitated information online, in print and at various events. What is lacking however is practical information on how to handle its requirements operationally.
Take as an example, the humble withdrawal of consent for personal data processing. The notion of removing permission is clear, but what about questions such as whether that request can be denied, or how long you have to respond? This information is less than forthcoming or often buried in copied and pasted jargon.
5 Steps for Handling a Withdrawal of Consent
The conditions for consensual data processing in Article 7 require that consent is both easily given and withdrawn. On that basis organisations need to have a plan of action for when this takes place. Take a look at our sample step by step list below:
- Assess the withdrawal of consent notice and determine which data processing activity/workflow consent is being withdrawn from. You may have multiple data processing activities/workflows, each with their own or lawfulness basis.
- You may seek identification to ensure that you are interacting with the correct data subject. This should not be prohibitive and should not be used to defer the data subject for more time.
- Determine whether or not the processing activity in question is lawful on the basis of consent, it may be that processing is lawful on another basis such as a contractual obligation or legitimate interests. Processing due to a contractual obligation cannot have consent withdrawn as it is not consent which makes it lawful; likewise where processing is carried out because of a legitimate interest, no consent was given.
- If the justification for lawful processing is the pursuant of legitimate interests, as it would likely be in the case of direct marketing, the data subject has a right to object to processing rather than withdrawal of consent. In the case of direct marketing, processing must cease unless the data controller can prove compelling grounds for its processing.
- If the justification for processing is on the basis of consent, the withdrawal of consent removes the data controllers legality for continuing to use said data subject's personal data in that processing activity.
- Once processing for that data subject's personal data has ceased, you may need to enact the data subject's right to erasure. Where you have no further lawful basis to process a data subject's personal data, you are compelled to remove or delete it, as defined in article 17. There are a number of exemptions whereby the right to erasure can be avoided, such as:
- Expressing the right of freedom of expression or information.
- Where continued processing is the requirement of a contractual obligation the data controller is subject to.
- Where processing is in the public interest.
- Where processing is in the public interest in the case of public health.
- Where processing is for achieving in the public interest.
- Where processing is required for the establishment, exercise or defence of legal claims.
- Notify the data subject within a reasonable time. The withdrawal of consent, the right to object and the right to erasure are all non-specific when it comes to time for completion. However, this should not been seen as unreasonable and continued processing after withdrawal of consent or an objection should not affect the data subject in a negative way.
Note: The GDPR covers the processing of personal data whereas another regulation covers how you communicate with data subjects; the two activities are not always the same. This regulation is known as the PECR (Privacy and Electronic Communications Regulation) and is most famous for enforcing unsubscribe options on marketing emails. An unsubscribe from an email doesnt necessarily restrict your ability to process personal data, only your ability to communicate via email.
Data Subjects Might Not Always Be Correct
In the steps above, we demonstrated a clear difference between withdrawal of consent and the right to object. You may have also noticed that the right to erasure was a consequence of the two, rather than something which was directly requested. These nuances are often overlooked and will likely be misunderstood by data subjects too. It is important that you do not use this as a way to buy time or distract the data subject; it is your obligation as a data controller to be transparent and accommodating.
After all, data subjects or your customers and contacts will vote with their feet and their wallets when it comes to judging your "fairness" in handling their personal data. What may seem savvy business practice in your eyes, may be unwarranted and undesired in theirs.