The murky world of “consent” is one of the next significant changes to evolve the data protection landscape.
Consent to store an individual’s data can get a little wordy. It is filled with legal jargon and is also the area of the GDPR law that the ICO has stated will “be subject to the highest tier of administrative fines”; so here we will break down the barriers to help you understand the requirements.
No longer can consent be “implied”, it must be “explicitly” given using “clear, plain language”, for which you will need to keep proper records. The GDPR will ban the use of pre-ticked opt-in boxes, which are commonplace online.
Individuals will be entitled to know how organisations use their personal data, what purpose they require it for and with whom they intend to share the information.
Also, be aware that consent can be withdrawn at any time! Under the “Right to be Forgotten”, An organisation must delete any data at the request of the data subject1.
However, “Consent” can be split into three categories for ease of understanding; Opt-in, third party consent and lawful grounds for processing other than consent.
Opt-in consent; (as advised in guidance released by the ICO in March 2017), your customers, beneficiaries or data subjects must give consent for specific purposes, and no, you cannot hide this in terms and conditions, buried in the depths of a page somewhere in your organisations’ website; it must be in clear, plain language.
It is also stated in the ePrivacy directive (for email, SMS communications), you also require explicit consent, no opt-outs.
Third-party consent; Clear contractual statements and standards, must be included in contracts; Do: third party supply chain assessments, Data Protection Impact Assessments, to know what your suppliers, contractors are going to do with your customer, beneficiaries or data subjects data.
Lawful grounds; Can be considered to be any of the following grounds; Vital interest, Lawful basis, Contractual, Legitimate interest, except for sensitive data; where lawful, vital or contractual are the only basis.
As a rule of thumb; Only use explicit consent as a last resort, as this can be withdrawn at any time.
Now we have ascertained how to gain consent; there were some other terms we mentioned, to which you probably wondered, “What’s the e-privacy directive?” and “What’s a Data Protection Impact Assessment?”, we’ll cover these in our training.
Oh, and one last point! The GDPR legislation contains specific details on the processing of data regarding children. Consent must be given or authorised by a person with parental responsibility for the child and notices addressed to children must be child friendly.
Are you interested in our training? Then please contact us!
1 In specific circumstances
