GDPR – Consent
From a personal point of view, the new regulations surrounding consent are a huge step forward. We’re all looking forward to not receiving thousands of spam emails and cold calls.
GDPR is imposing higher standards of consent. The reason being that consent is not a one-off agreement, it is ongoing and is an actively managed choice. The system we have currently for collecting consent e.g. the one-off pre-ticked box, therefore needs to be altered.
What does the Act say?
Just to give you a quick recap, the definition of consent has changed under GDPR and is now defined as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
This is in regards to the way the consent is collected. You should leave no room for doubt about the data subject’s intentions in providing their consent to their personal data being processed.
Statement or clear affirmative action
There needs to be a positive indication of agreement by the data subject to their personal data being processes and that is not based on silence or pre-ticked boxes for example. You can still include the tick box, you just can’t pre-tick it for the client.
The client should not have been misled or intimidated into giving their consent, neither should they experience any negative impact by withholding or withdrawing their consent.
Consent that is being obtained needs to be distinguishable from other matters. If there are multiple purposes for the processing of the data, consent must be given for all of them. A blanket approach cannot be used.
So, for the individuals consent to be considered informed, they need to:
- At least be aware of the identity of the controller and the intended purposes of the processing;
- Be informed of their right to withdraw consent
One of the main issues we have seen floating about is if consent needs to be given again. Really, it all depends on how you originally collected your client’s consent. That Act states “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
If you obtained consent to the GDPR standard, i.e. that the consent was unambiguous, freely given, specific, informed and positive action was taken, then there is no need to collect the individual consent again as your approach is already in line with the GDPR requirements. If the individuals consent was not obtained in this way, then sorry to say this, but it’s back to square one.
Right, let’s plan how you should be collecting consent!
We can’t tell you exactly how to do it as every company is different and therefore will phrase or lay things out differently. What we can do is provide you with some ideas as to how to go about collecting data.
- The consent needs to be unbundled. This means that the terms and conditions for example need to be separate from the contact permission.
- Granular consent. Granular consent means consenting to each contact method separately. So really, there should be different tick-boxes for different forms of communication. So, for example:
- Yes please, I would like to receive communications by email
- Yes please, I would like to receive communications by telephone
- Yes please, I would like to receive communications by SMS (text message)
- Yes please, I would like to receive communications by post
Then have a corresponding no for each section. This way the client is in full control of what they opt in to.
- Named consent. You need to be clearly naming the organisations that will have access to user data. For example:
- I would like to receive updates from Waitrose
- I would like to receive updates from John Lewis etc.
You should not be using ‘I’d prefer not’ as this option is an opt-out rather than an opt-in.
- Active opt-in. The individual needs to complete an action to opt-in rather than taking option to opt-out. Using a tick box is a good approach, but this can no longer be pre-ticked. Leaving the box for the client to tick is a form of active opt-in.
- Lastly, easy to withdraw. The client must be able to find it as easy to withdraw their information as easy as they found it to opt-in. They must not come to any hardship or any detriment by withdrawing their data.
As always, get in touch if anything is unclear or if we can provide further guidance. The countdown is now on.