Consent and Lawful Data Processing: Your data has rights too!

In a digital world where personal data is constantly being collected, stored, and analyzed, organizations must ensure that their data practices are not only ethical but also legally compliant.

At the heart of data privacy regulations — whether it’s the EU’s General Data Protection Regulation (GDPR) or Kenya’s Data Protection Act (DPA) — lies the principle of lawful data processing and informed consent.

Understanding what constitutes valid consent and the lawful grounds for processing data is critical for both businesses and individuals. Missteps in this area can lead to severe reputational damage, regulatory fines, and a breakdown in trust.

  1. What Is Lawful Data Processing?

Lawful data processing refers to collecting, using, storing, or sharing personal data in a manner that complies with applicable laws. Under most data protection laws, data controllers (organizations that determine why and how personal data is processed) must have a legal basis for every instance of data processing.

2. What Does Valid Consent Look Like?

Consent is one of the most well-known — but also most misunderstood — bases for lawful data processing. For consent to be valid, it must be:

  • Freely given: The individual must have a real choice. Consent should not be a condition for accessing a service unless necessary.
  • Specific: Consent must be obtained for clearly defined purposes.
  • Informed: The individual must understand what data is being collected, why, by whom, and for how long.
  • Unambiguous: Consent must be given through a clear, affirmative action — no pre-ticked boxes or implied agreement.
  • Withdrawable: It must be easy for individuals to withdraw their consent at any time.

Example: A website that collects user emails for newsletters must not assume consent through a pre-checked “subscribe me” box. Users must actively choose to opt in.

3. Legal Bases for Data Processing ⚖️

    Beyond consent, there are several other lawful grounds under which personal data can be processed:

    1. Contractual Necessity
      • Data is processed to fulfill a contract or prepare for one.
      • Example: Processing a customer’s address to deliver goods they purchased.
    2. Legal Obligation
      • Processing is required to comply with the law.
      • Example: A company sharing employee salary records with the tax authority.
    3. Vital Interests
      • Processing is necessary to protect someone’s life.
      • Example: Sharing health data in a medical emergency.
    4. Public Task
      • Processing is required for official functions or public interest.
      • Example: A government agency maintaining citizen registries.
    5. Legitimate Interest
      • Processing is based on a legitimate interest of the data controller, provided it does not override the rights and freedoms of the individual.
      • Example: Fraud prevention or direct marketing with appropriate safeguards.

    Each of these bases comes with its own set of conditions, and organizations must clearly determine and document which basis applies to each data processing activity.

    4. Transparency and Privacy Notices 🔍

    Transparency is a core principle in data protection. Individuals have the right to know how their data is being used. This is where privacy notices come in.

    A good privacy notice should include:

    • The identity and contact details of the data controller
    • The purpose of data collection
    • The legal basis for processing
    • Who the data is shared with
    • Retention periods
    • The rights of data subjects (e.g., access, correction, deletion)
    • How to lodge a complaint

    This notice should be easily accessible, written in clear and simple language, and presented at the point of data collection.

    Real-World Example: Facebook & Cambridge Analytica Scandal

    One of the most infamous cases of unlawful data processing is the Facebook–Cambridge Analytica scandal.

    In this case, data from over 87 million Facebook users was harvested without their explicit consent via a personality quiz app. While only a few hundred thousand users agreed to the quiz, their friends’ data was also accessed without any notification or consent.

    The data was allegedly used to build psychological profiles and influence voter behavior during political campaigns, including the 2016 U.S. presidential election and the Brexit referendum.

    Consequences:

    • Facebook was fined $5 billion by the U.S. Federal Trade Commission (FTC) — one of the largest privacy fines in history.
    • Massive reputational damage and global scrutiny.
    • Public debate on data ethics and calls for stronger regulation.

    This case clearly illustrates how failing to obtain proper consent and misusing data can lead to massive legal and reputational fallout.

    Conclusion

    Understanding consent and lawful data processing is not just about ticking regulatory checkboxes — it’s about respecting individuals’ rights, building trust, and promoting transparency in the digital economy.

    For organizations, it means being clear, honest, and deliberate in how data is collected and used. For individuals, it means being aware of your rights and asking questions about how your data is handled.

    In the digital age, privacy is power — and consent is your voice. Use it wisely.

    Article by ~ Brian Tovo

    Associate Consultant, Sentinel Africa Consulting

    No comments yet

    Latest Posts

    Sentinel Africa Consulting