Do you know what data you’re capturing?
Share article:
You may also like to read
Following on from our article on “The Murky World of Consent and Opt-in,” we thought we would issue some helpful guidance, not only on consent itself but also on knowing what information you are capturing, what you are doing with this data, and how you can prove the lifecycle of this data when it comes to a Subject Access Request.
Asking for Consent
Let’s start with one of the ending points of our previous article, “As a rule of thumb, only use explicit consent as a last resort, as this can be withdrawn at any time”. The first thing to consider is whether consent is the best and most appropriate lawful form of processing.
When it comes to opt-in, have you stated the opt-in for your customers and data subjects in clear, plain language and not buried it deep in a set of terms and conditions? Also, not using any pre-ticked boxes as they must positively opt-in themselves and have granular options that clearly define the specific processing types; email, telephone, post as just a few examples of such definitions.
When asking for consent, have you stated the essentials? Who is your organisation, and how will you use the data?
How about informing the individuals that they can withdraw their consent anytime? Explain that they can even refuse to consent without detriment or that not providing consent is not a precondition of providing a service.
Most importantly, if the service you offer is online and directed at children, only seek consent if you have age verification and parental consent measures to back up this consent.
Record and Manage Consent
Let’s move on to how you record and manage consent. How do you document how you obtained consent, and when and exactly how this was stated to the individual then? This is a requisite of a privacy notice.
Do you regularly review consent, checking whether the purposes for processing are accurate and have changed? Do you have processes in place to refresh the consent at an appropriate period (especially parental consent)?
Have you considered using a preference management tool, like a gateway or portal, to make it easier for individuals to manage or withdraw their consent? Have you made public the measures you take to use these tools?
Letting your customers know that you will not penalise them for withdrawing their consent and that you process these consent withdrawals as soon as possible is good practice and a good customer service ethic.
Now you have your consent in order, do you know what you are capturing? This also extends to what you have already captured.
Data Audit
A data audit is an excellent practical step to help you understand the information you hold and your processes. How you capture this data will aid with how and what your intended use is. Information also requires review to consider the quality of the data. Often, you review the information you hold to assess who has access to it and who you share it with, and then decide how you implement control over the data you hold.
The final piece should always be about retention and the right of erasure, but these are covered in our other articles and throughout the training.
Please read our other blog articles for more information on who the EU GDPR affects.
So, having followed this advice, when you receive your first Subject Access Request under the General Data Protection Regulation, you can provide everything you need quickly and certainly within the allotted one-month response period, and then you can truthfully state that you are info-ready.
Share article: