CONSENT AS A LAWFUL BASIS FOR PROCESSING
Thank God its Friday and welcome to another edition of Privacy Notes.
Today we will be talking about the issue of consent (insert eye emoji). Society has developed to a point where freewill is of maximum importance in most of our daily activities and interactions with one another and in this regard, data protection is not left out. One of the biggest changes that the Nigeria Data Protection Regulation (NDPR) brings is how organisations obtain valid consent from individuals before processing their personal data. The NDPR defines consent as “any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.”
Consent gives a Data Subject real choice and control over their personal data. For a valid consent, certain key points must be considered. It is important to keep in mind that consent must be given before a processing activity is undertaken on Personal Data and is linked to a specific purpose. If the purposes of the processing activity change after consent was obtained or if an additional purpose is envisaged, new and specific consent is required.
Organisations that are Data Controllers must determine if consent will meet all the requirements of data processing. It has the burden to proof and demonstrate the validity of consent. Thus, paying more attention must be considered when the legal basis for the data processing is Consent.
HOW TO OBTAIN A VALID CONSENT?
- CONSENT MUST BE FREELY GIVEN – This means that a Data Subject is given a clear choice on whether he wants to provide such personal data or not.
- CONSENT MUST BE SPECIFIC – Data Subject must agree specifically to each use of their personal data, such as sharing, publishing, marketing, or cross selling etc.
- CONSENT MUST BE INFORMED – This means that a Data Subject must be informed of each type of information the Data Controller collects and how it is to be used.
- CONSENT MUST BE CLEAR AND AFFIRMATIVE AND NOT UNAMBIGUOUS –Organisations cannot use pre-checked boxes. It must be a clear and affirmative action whether it be the tick of a checkbox, the click of a button or appending a signature as proof.
You will agree with me that there are a lot of criteria to meet to ensure consent is genuine and valid. More so, Data Subjects should be duly informed of their rights to withdraw consent at any time when consent is obtained.
Under the NDPR, for children under 13 years, organisations need to get consent from whoever holds parental responsibility for the child because children need particular protection when you are collecting and processing their personal data and they may be less aware of the risks involved.
It is important to note that consent should be the last resort as legal basis for the processing of Personal Data by the Data Controller as it is the weakest legal basis there is, in that it is always open to dispute by the Data Subject (issues like extent of consent given, processing activities covered etc.) and as such should be used sparingly where no other legal basis apply. The legal basis of consent should always be supported by another legal basis at all times as this will go a long way to reduce the Data Controller’s exposure to liability.
Organisations relying on inappropriate or invalid consent could destroy trust and harm its reputation – and may leave themselves open to large fines. If you want to determine your processing activity or you need advice on determining if Consent should be your lawful basis for processing personal data, you should consider contacting us on email@example.com
Thank you for staying tuned…
See you in a bit.