If you have a question you'd like to ask our experts in a future edition of GDPR Weekly, please get in touch on firstname.lastname@example.org.
When gaining a consumer's consent, does this need to obtained in writing?
Bernard George, solicitor for Socrates Training Ltd:
Consent does not have to be in writing. Take these examples.
- A client phones you and gives you details of their solicitor, so you can send them details of the transaction. Clearly, the client consented to you using this information. It would be a waste of their time and yours to have to get that in writing. (By the way, you might argue you do not actually need consent in this case, but even if you do, oral is fine.)
- A prospective tenant phones and asks you to email them the details of a property.
In general, you need consent to send out marketing emails. But again in this case they have given you consent.
Of course, you need to be able to prove consent if challenged. So, in your email you might refer to the call. Likewise, you should have a 'privacy notice' on your website, explaining you will do in cases like this.
Jon Baines, data protection advisor at Mishcon de Reya LLP:
Under data protection law, including GDPR, consent does not have to be given in writing.
Consent is ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes’, signifying agreement ‘by a statement or by a clear affirmative action’. Recital 32 to GDPR makes clear that this can be an oral statement.
However, it’s important to note that the accountability principle running through GDPR requires one to be able subsequently to demonstrate that the data subject has given consent. If the consent has been given orally, the data controller must therefore record this.
As a matter of general sensible practice, where consent has been received orally, one should follow this up in writing to make sure that the data subject is indeed fully aware of the situation, and to make sure that appropriate records are kept.
The GDPR team at Mishcon de Reya comprises data protection experts as well as non-lawyer cyber security specialists. If you would like any advice on how to manage GDPR within your organisation, please contact Jon Baines.
Annemarie Proudfoot, head of customer relations at BestAgent:
You must have a record of what the client agreed to, and when. So yes, either in writing or ideally in electronic format (for example an email).
If you gain consent over the phone and do not follow up with an email, make sure you have a record of the ‘script’ you read them (informing them of their rights, exactly what the scope of the consent was) and the date that they said ‘yes’.
Damon Bullimore, chief information officer at BriefYourMarket.com:
There are several ways that consumer consent can be obtained for data processing activities. These include: digital and paper formats, telephone, and face-to-face.
The Information Commissioner’s Office (ICO) state that businesses must ‘keep clear records to demonstrate consent’. Therefore, because agents will be obtaining verbal and non-verbal consent, they will have to implement ways to record and demonstrate consent in either a digital or physical format.
The ICO also notes that businesses should consider using ‘privacy dashboards or other preference-management tools’ to obtain, record and manage consent.
Because businesses are required to ‘regularly review consent’ and ‘make it easy for people to withdraw their consent at any time’, preference-management tools give customers more control of their data, which may explain why the ICO makes the advisory.
To find out more about our GDPR-compliant platform and preference-management tools, please request your free consultation here.
*If you would like to receive further guidance from any of our GDPR experts, please click here.
Angels Media Ltd encourages you to seek additional guidance, including professional legal advice, to ensure that all of your business operations are ready for the GDPR.
Angels Media Ltd Legal Disclaimer:
The information contained here is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice.
We would like to stress that there is no substitute for making your own detailed investigations or seeking your own legal advice if you are unsure about the implications of the GDPR on your businesses.
While we have made every effort to ensure that the information covered here is correct and up to date, we Angels Media Ltd makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied.
Angels Media Ltd will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.