From a personal point of view, the new regulations surrounding consent are a huge step forward. We’re all looking forward to not receiving thousands of spam emails and cold calls.
GDPR is imposing higher standards of consent. The reason being that consent is not a one-off agreement, it is ongoing and is an actively managed choice. The system we have currently for collecting consent e.g. the one-off pre-ticked box, therefore needs to be altered.
Just to give you a quick recap, the definition of consent has changed under GDPR and is now defined as:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
This is in regards to the way the consent is collected. You should leave no room for doubt about the data subject’s intentions in providing their consent to their personal data being processed.
There needs to be a positive indication of agreement by the data subject to their personal data being processes and that is not based on silence or pre-ticked boxes for example. You can still include the tick box, you just can’t pre-tick it for the client.
The client should not have been misled or intimidated into giving their consent, neither should they experience any negative impact by withholding or withdrawing their consent.
Consent that is being obtained needs to be distinguishable from other matters. If there are multiple purposes for the processing of the data, consent must be given for all of them. A blanket approach cannot be used.
So, for the individuals consent to be considered informed, they need to:
One of the main issues we have seen floating about is if consent needs to be given again. Really, it all depends on how you originally collected your client’s consent. That Act states “it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of this Regulation.”
If you obtained consent to the GDPR standard, i.e. that the consent was unambiguous, freely given, specific, informed and positive action was taken, then there is no need to collect the individual consent again as your approach is already in line with the GDPR requirements. If the individuals consent was not obtained in this way, then sorry to say this, but it’s back to square one.
We can’t tell you exactly how to do it as every company is different and therefore will phrase or lay things out differently. What we can do is provide you with some ideas as to how to go about collecting data.
Then have a corresponding no for each section. This way the client is in full control of what they opt in to.
You should not be using ‘I’d prefer not’ as this option is an opt-out rather than an opt-in.
As always, get in touch if anything is unclear or if we can provide further guidance. The countdown is now on.