Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal
teams and resources to ensure they are aware of their
obligations under applicable regulations.
In a quick answer… No.
With constant news surrounding GDPR taking over, there is a lot of uncertainty being created about data protection and consent, the most common myth that is being circulated is that consent is the only way that data can be processed.
Under the new GDPR law, coming into effect on 25th May 2018, one of the biggest law changes states that individuals must give organisations a positive opt-in to receive emails, this means that pre-checked boxes are not valid consent. In line with this, GDPR places a lot of emphasis on that once the organisation has gained a positive opt-in from an individual they then need to give them a clear and easy way to withdraw their consent if they wish to.
As the above law change is likely to have a big impact on many organisations, it has been the focus of many discussions and created the false conception that data can only be processed if an organisation has the consent to do so. This is not true, consent is one legal ground on which data can be processed but not the only one.
For processing under GDPR rules, organisations need to be able to identify that they are processing data based on one of the SIX legal grounds (as identified by the UK’s Data Authority: ICO)
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of legitimated interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
(Note that this condition is not available to processing carried out by public authorities in the performance of their tasks)
Keep in mind that the burden of proof for consent lies with the organisation. Therefore, it is down to the organisation to ensure that the legal ground on which the data is being processed is fully documented so that proof of compliance with the GDPR can be demonstrated to the ICO.