Following on from our article on “The Murky World of Consent and opt-in”, we thought we would issue some helpful guidance. Not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can prove the lifecycle of this data when it comes to a Subject Access Request.
Asking for Consent
Let’s start with one of the ending points of our previous article, “As a rule of thumb; only use explicit consent as a last resort, as this can be withdrawn at any time”. The first thing to consider is whether consent is the best and most appropriate lawful form of processing?
When it comes to opt-in, have you stated the opt-in for your customers and data subjects in clear, plain language and not buried it deep in a set of terms and conditions? Also, not using any pre-ticked boxes as they must positively opt-in themselves and have granular options that clearly define the specific processing types; email, telephone, post as just a few examples of such definitions.
When asking for consent, have you stated the basic essentials? Who your organisation is and how you are going to be using the data.
How about informing the individuals that they can withdraw their consent at any time? Explain they can even refuse to consent without detriment to them, or that not providing consent is not a precondition of providing a service.
Most importantly if the service you are offering is online and directed at children, then only to seek consent if you have age verification in place and parental consent measures to back up this consent.
Record and Manage Consent
Let’s move on to how you record and manage consent. How do you document how you obtained consent, when you obtained it and exactly how this was stated to the individual at that time? This is a requisite of a privacy notice.
Do you regularly review consent, checking if the purposes for processing are accurate and if they have changed, that you have processes in place to refresh the consent at an appropriate period (especially parental consent)?
Have you considered the use of a preference management tool, like a gateway or portal, to make it easier for individuals to manage or withdraw their consent and have you made public these measures of how to use these tools?
Letting your customers know that you will not penalise them for withdrawing their consent and that you process these consent withdrawals as soon as feasibly possible is good practice, as well as a good customer service ethic.
Now you have your consent in order, do you know what you are capturing? This also extends to what you have already captured.
A data audit is an excellent practical step to help in understanding the information you hold and know your processes. How you capture this data will aid with how and what your intended use is. Information also requires review, to consider how good the quality of the data is. Often you are reviewing this information you hold to assess who has access to it, who you share it with and then decide how you implement control over the data you hold.
The final piece should always be about retention and indeed the right of erasure, but these are covered in our other articles and throughout the training.
For more information on who the EU GDPR affects, please read our other blog articles.
So having followed this advice, when you receive your first Subject Access Request under the General Data Protection Regulation, you can provide everything you need quickly and certainly within the allotted one month response period, then you can truthfully state that you can be info-ready.