What is explicit consent?
With vulnerability high on the FCA’s agenda for 2020, financial services firms have an eye on its new guidance document, which seeks to clarify what the regulator expects to see in terms of culture, product design, staff training, and support options. The FCA’s response and final guidance is due in the first half of 2020, but the guidance document as it stands provides a clear impression of where firms should be heading in their treatment of vulnerable customers in 2020.
But there is some concern – understandably – about how a customer’s vulnerability can be collected, recorded and acted upon, given the constraints of the General Data Protection Regulation, and fears of hefty fines if the rules are breached. It’s vitally important that customers with vulnerabilities are supported in accessing financial services and getting the most out of them in a way that is in their best interests, so to help firms we’ll be focussing on the interplay between vulnerabilities and the GDPR in a series of articles between now and the first half of 2020. First up is the issue of explicit consent.
This term has been in common use for a while; the 1998 Data Protection Act had it as one of the conditions for processing ‘sensitive personal data’. One of the things the GDPR does is slightly update the definition of sensitive personal data – or ‘special category data’ under the Regulation – to include genetics and biometrics, but in financial services firms, for the most part the definition remains the same – anything that relates to an individual’s race, politics, religion, trade union membership, health, genetics, biometrics or sex life. In most cases where a vulnerability is concerned, it’s likely to be in relation to a customer’s health.
Special category data is treated differently because it’s considered that there are inherent risks to individuals’ rights and freedoms – for example unlawful discrimination – and so this information needs to be processed with greater care than other types of personal data.
Firms will, therefore, need two lawful bases in order to process (i.e. collect, store, use and record) information about a customer’s vulnerability. Firms will already know which Article 6 basis they use to process the customer’s non-special category data, but to record health data, they also need to select a basis under Article 9. Explicit consent is one of the available bases, and likely to be the most appropriate in the majority of cases.
In practice, ‘explicit consent’ means that the customer has given a clear, unambiguous agreement for their data to be used in a specific way.
But firms should be wary of how this consent is sought, because if it is asked for in a generic way, or in a ‘blanket approach’, which covers a number of different purposes, it won’t meet the requirements and will be a breach of the Regulation.
Seeking explicit consent in a lawful way starts fairly early in the conversation with the customer. In short, for a customer’s explicit consent to be compliant, it must be ‘fully informed, specific, freely given, and as a result of positive action’ as well as evidenced and easy to withdraw from.
Let’s take ‘fully informed’. This embodies the idea that someone cannot truly consent to something if they don’t know what they are actually consenting to. The Regulation, then, requires that firms provide the customer with the stated minimum information – the firm’s identity, the purpose of each processing operation, the type of data concerned, the right to withdraw consent, information about automated processing, and the risks of data transfers to third countries, if applicable. More information can be provided to give the customer a clear idea about how and why their data will be used, but this is the minimum.
Explanations cannot be hidden within something else, such as terms and conditions, or written or spoken in a way that is difficult to understand – language should be clear and plain and avoid legalistic terms.
The same goes for the actual declaration of explicit consent. Because the GDPR sets out that explicit consent must be given via a ‘positive action’, silence from the customer, non-action, or failure to untick a box cannot be taken as indication of consent. The declaration of consent must be separate from other elements in a document, and individually and clearly given through an affirmative action, such as actively ticking a box, signing a statement or clearly stating ‘yes’ during a spoken conversation.
As with all other elements of the Regulation, evidence is important. Explicit consent must be evidenced. How this is collected and stored in practice will depend on the firm’s ways of working and the method used to gain the consent in the first place, but could include stored documentation, call-recording, or detailed notes recorded by the call handler.
RB Compliance is embarking on a project alongside Chris Fitch of Bristol University and Colin Trend, lead trainer at Money Advice Trust to deliver the industry with clear and workable guidance on the issue of vulnerability and the GDPR. If you would like to be involved in a consultation exercise, please contact me at firstname.lastname@example.org