The latest GDPR blog from the ICO is certainly worth a read if you have encountered conflicting advice about the need for consent. In the article, Elizabeth Denham from the ICO tackles the myth that organisations must have consent in order to process personal data. Guidance from the ICO states that whilst consent is one of the lawful bases for processing personal information, the GDPR provides five other ways of processing data which may be more relevant and appropriate in certain situations. For executive search, there are a number of scenarios where there would certainly appear justification for choosing legitimate interest as a legal basis.
If you are unsure of the relevance of consent and legitimate interest in satisfying the requirements of the GDPR, why not read: ‘The Age of Consent: a GDPR Perspective’? Written by Andy Warren, Invenias CFO and Chief Information Security Officer at Invenias, this short blog provides a really good overview of two key legal bases.
MYTH You must have consent if you want to process personal data. Fact: The GDPR is raising the bar to a higher standard for consent. But I’ve also heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”. The rules around consent only apply if you are relying on consent as your basis to process personal data. So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way. - Elizabeth Denham, Information Commissioner, ICO