Some say that lawyers start by making things complicated and then when people have just about worked out what is going on, the law changes again. Bear that in mind while you read the following definition of ‘consent’ under the General Data Protection Regulation (GDPR)…
To process personal data, an organisation must have a legal basis for such processing. One acceptable legal basis under the GDPR is ‘consent’. Consent existed under the Data Protection Act as a means by which an organisation could make it’s processing fair and legal, so in theory, it is nothing new. However, in practice under the GDPR, it is new. Consent is more difficult to obtain and organisations must make it easy for individuals to withdraw that consent.
Why is consent so important under the GDPR?
From 25 May 2018, some organisations may find that the way certain individuals have provided consent under the old law, will be considered unacceptable under the new law. This is why an understanding of the changes in the law is vital for compliance.
Also, individuals are more aware of their rights in relation to their personal data. Therefore, organisations who seek to rely on consent as a legal basis for processing must be sure that it is adequate consent in the eyes of the law. Otherwise, individuals will be able to bring legal actions (and possibly class actions) against organisations that have processed personal data without an adequate legal basis.
However, where there is a risk, there is an opportunity. Many companies are embracing the new rules around consent as a way to connect with their customers, build trust in their brand and to make the data they process more valuable. For example, a customer who is fully aware that they are consenting to an online retailer’s marketing emails and who has the ability to withdraw that consent at any time is a customer who is more likely to be interested and engaged in any marketing offers which are sent to them.
What consent means under the GDPR
Personal data can be processed legally if the individual has given consent to the processing for one or more specific purposes. In other words, you can’t just get consent to marketing, you need to get consent for marketing by email, fax and telephone.
That consent must be:
- Freely given – an individual must not be forced into consenting. For example, if it is a condition of receiving a service that an individual consents to receiving marketing emails then the consent given to receive those marketing emails is inadequate.
- Specific – the consent provided must not be vague. For example, consenting to “marketing” is vague and, therefore, inadequate. Consenting to “marketing by email” is specific and adequate, but does not allow marketing by in product push notification or telephone.
- Informed – an individual must understand what they are consenting to, eg. “I understand how cookies work and I consent to you putting them on my device”.
- Unambiguous – an individual should not be confused as to what they are consenting to. For example, a sentence next to a checkbox which says, “Uncheck this box if you do not want to receive marketing email” is confusing and if a company seeks to rely on such a method for obtaining consent it will be inadequate.
- The indication of consent needs to be by a clear affirmative action – eg. by ticking a box saying, “I consent”, rather than not ticking a box saying, “I object”.
Best practice and practical guidance
Follow these practical tips and your organisation will be going some way to complying with its obligations in relation to consent under the GDPR:
- Review your processes for obtaining consent (The Privacy Compliance Hub has a useful checklist which it makes available to its users).
- Check your existing consents for GDPR compliance ensuring you have sufficient records of how you obtained consent.
- Audit your databases and ensure that you can divide your databases between those individuals who have given different types of consent.
- Alter consent mechanisms if necessary to provide separate opt-in tick boxes for each method of marketing communication you use (The Privacy Compliance Hub offers templates).
- Review your existing procedures allowing users to withdraw consent. Ensure consent can be withdrawn easily, for example by an unsubscribe link or easy access to a privacy dashboard.
- Set up a process to record consents if you don’t already have one and make sure it records all the information required.
- Consider refreshing your consents if existing consents are inadequate.
- Update your Privacy Policy to explain how any consents work (we offer a template within The Privacy Compliance Hub).
The issue of ‘consent’ is just one issue explained clearly and simply within The Privacy Compliance Hub. Our Hub provides all the information any organisation needs to enable it to comply with data protection law. It also provides over 30 clear templates drafted by experts who have worked within top organisations in implementing successful data protection compliance programmes.
For further info on all aspects of GDPR, explore the rest of our Hub. Ready to get your organisation’s consent up to speed? Get your free demo today.