What is Consent? – Simplified!

DATA PRIVACY PULSE – From Basics to Compliance

An Educative Series by Sentinel Africa Consulting – Ep2 by Musa Wesutsa

What is Consent?

Consent is a specific legal basis for handling Personally Identifiable Information (PII), just one among 6 others. Here are the other legal bases that you can use for processing Personally Identifiable Information (PII):

  1. Contractual Necessity: Processing is necessary for the performance of a contract.
  2. Legal Obligation: Processing is required to comply with a legal obligation.
  3. Vital Interests: Processing is essential to protect someone’s life.
  4. Public Task: Processing is carried out in the public interest or as an official function.
  5. Legitimate Interests: Processing is based on the legitimate interests of the data controller or a third party.
  6. Legal Claims: Processing is necessary for the establishment, exercise, or defense of legal claims.

These legal bases provide a framework for your organizations to handle personal data lawfully under data protection regulations like the GDPR or other local regulations.

It’s essential to understand that you have various options for justifying PII processing. I actually recommend using consent as a last resort when all other legal bases are not suitable.

It’s essential to understand that you have various options for justifying PII processing. I actually recommend using consent as a last resort when all other legal bases are not suitable.

– Musa Wesutsa O’Wakwabi

What is a good way to do a request for Consent?

  • Freely given by the data subject whose data you intend to process. Consent should not be coerced and so therefore attaching the delivery of a service to consent is wrong
  • Explicit and specific – Consent should not be implied. If consent is not granted then by default it is denied and not the vice versa
  • Explain exactly and in simple terms why the processing is necessary and therefore why consent is sought. The use of jargon or “legalese” or lengthy terms and conditions should be avoided to ensure that the data subject is fully clear on what and why the consent they are giving is necessary
  • Provide an option to deny consent – the data subject should exercise the element of choice when granting consent. A consent form should clearly give an option to deny consent just as simply as it does the option to grant access
  • Provide a mechanism and information on withdrawal of consent – remember that the data subject has the right to withdraw consent just as freely and just as easily as they grant it

What is a horrible way to do a request for Consent?

  • There is no choice – the data subject is presented with a statement that presents only one option which is to basically accept
  • Bundling consent – where different services/actions are presented in one consent form. A data subject is not able to consent to one action and deny consent to another within the form.
  • Where a more suitable legal basis ought to have been used such as the performance of a contract
  • Where the data subject is a minor, belongs to a vulnerable group or there is a power imbalance (e.g. employers and employees) – due to the fact that the data subject may give consent under duress
  • Where consent is implied – meaning the data subject has to opt out rather than opt-in.
  • Overcollection – This occurs when you continue to gather more PII through the consent form than what is genuinely necessary for your specific purpose, such as requesting a phone number unnecessarily.

In conclusion,

The new regulations on data protection need not be a yoke that stifles businesses that rely on data decision-making or advertising. Innovations are called for to ensure that the protection of data subjects’ PII is considered not as an afterthought but intertwined in the design right from the beginning. Measures to deidentify PII such as anonymization and pseudonymization can go a long way in reducing the burden of consent collection on data controllers.

Consent remains a tricky issue and the line between what is allowable and not can be blurry. For detailed guidance on data protection compliance, feel free to connect with me on LinkedIn.

I trust you’ve gained a fundamental understanding of consent. Stay tuned for our next episode as we delve deeper into this critical topic, ensuring you stay well-informed.





No comments yet


Hello, Thank you for contacting Sentinel Africa. How may i assist you?

× WhatsApp