The GDPR will come into effect in the UK from 25 May 2018, regardless of Brexit. Organisations, including pharmacies, currently required to comply with the UK Data Protection Act 1998 (DPA) for processing personal data, will need to be compliant with the GDPR. Many concepts and principles will be similar to the existing DPA. However, the GDPR will introduce new elements and significantly enhanced requirements regarding data protection.
In October’s NPA Essential we published an overview of the changes but this month we look at a key aspect of the GDPR and one of the six lawful bases for processing personal data – consent. As GDPR information is constantly being updated, information and subsequent resources may be subject to change so keep checking the NPA website for updates.
Consent must be obtained where no other lawful basis for processing personal date is applicable. There are five other lawful bases to process personal data, consent may not always be required from an individual. Wherever possible and appropriate, you should try to use the other lawful bases that permit your organisation to process an individual’s data.
If consent is used to legally process an individual’s personal data, it must be: freely given, specific, informed and unambiguous; provided from the individual by a statement, or provided by a clear affirmative action, which explicitly suggests agreement to the processing of their personal data.
Consent must also meet certain conditions, including: being presented to the individual in clear and plain language; being easily accessible; allowing for simple and straightforward withdrawal by the individual at any time – individuals should be made aware of how to withdraw consent prior to providing consent.
The Information Commissioner’s Office (ICO) also recommends: regularly reviewing and updating consent and associated procedures (as necessary); keeping records of evidence – including who has provided consent; when consent was given; how consent was provided; and what was consented to.
Consent must not be obtained by default, for example, by lack of affirmative action from the individual or using pre-ticked opt-in boxes.
Further information on the GDPR and consent can be found in the NPA resource “General Data Protection Regulation (GDPR): consent – brief overview (November 2017)”.