GDPR – Consent
Making sure you have a proper basis for processing personal data
The requirement to have a lawful basis in order to process personal data is not new, but the GDPR places more emphasis on being accountable for and transparent about your lawful basis for data processing. The lawful bases are:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the data processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the data processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the data processing is necessary to protect someone’s life.
- Public task: the data processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the data processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
For most expert witnesses, it will be the first of these, consent, that is the lawful basis for processing data.
The GDPR makes it much harder to imply consent. The standard will now require some clear affirmative action (such as a written, electronic or oral statement) establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed. The burden of showing that consent was validly obtained and freely given will fall on the data controller. For consent to be informed, the data subject should be aware of at least the data controller’s identity and the intended purposes of the processing.
The ICO’s thinking on this is still evolving, but we feel that it is part of the data processor’s task (the expert witness) to ensure that there is a valid consent obtained by the data controller (the instructing lawyer), and that this consent identifies any third parties (e.g. expert witnesses) to whom the data will be passed.