The General Data Protection Regulation (GDPR) is a regulation in the European Union in the field of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018. The GDPR regulates the handling of personal data by controllers and processors.
The question of how to validly obtain consent under the GDPR generates a lot of discussions, yet it is often a simple problem to deal with. There are however important considerations that need to be assessed! First: do you really need consent ? This is an essential first step as consent is one of the six legal basis and it’s not necessarily the one required in all cases (sometimes it needs to be avoided as it can be a GDPR violation to use consent when other legal basis are required). This verification is an essential starting point (I). Once we are sure consent is required from a legal perspective then only we can create a process that will capture the consent in regard to the conditions set by the GDPR (II).
The GDPR introduced an interesting new concept to ensure the protection of personal data : the notion of “privacy by design”. In fact, to be completely exact, the GDPR distinguishes two ideas : the idea of privacy by design and the idea of privacy by default. These concepts originally came from the Commissioner of the Canadian Agency for the protection of personal data (Dr. Anne Cavoukian) who developed a series of principles in 2010 to take privacy into account straight from the design of processing systems.
Beware not to confuse the DPO the “Data Protection Officer” (GDPR) and the “Data Privacy Officer” (not a GDPR concept)! And the reason is that the GDPR has a very specific view of the DPO : the data Protection officier is NOT in charge of ensuring compliance with the GDPR. That’s the role of the Controller, not the DPO! Let’s clarify this important distinction, often misunderstood by businesses who designate a DPO and discover after that the need additionnal staff to ensure compliance.
The notion of personal data is without question the most important component of the GDPR, because it defines if GDPR applies or not. If an organization is processing personal data it is mandatory to ensure compliance with all provisions of the GDPR (99 articles - 100 pages). However, none of these obligations will apply if no personal data is involved. Let’s illustrate that by a diagram :