Consent within GDPR relates to you as an organisation clearly stating what a data subject is agreeing to and what rights that have when they agree to their personal data being processed. For consent to be deemed valid the data subject needs to have made a proper informed choice on whether to give consent which means that they need information easily available to them to make that informed choice. Consent must be freely given and it must be done via a positive affirmative action. Consent cannot be connected to any kind of benefit offered in return or asked for it in a coercive way. The GDPR guidance lays out the information that must be made available to them:
- The controller’s identity.
- The purpose of the processing: what exactly is going to be collected, what is it going to be used for.
- The fact that they have the right to withdraw consent at any time.
- Information about any automated processing, such as decision making, that will be taking place.
- Whether the data is going to be used by another controller, for example in the case of data used for marketing purpose (the other controller(s) should be named at the time the consent was being gathered.
- If the consent is related to exporting the data to another territory, information about where and about what steps are being taken to make sure that this will be done in a safe and secure way.
Your business needs a data collection policy that can be understood and employed throughout the whole of your organisation and your business should regularly review how you ask for and record consent. This will mean that:
- You have checked that consent is the most appropriate lawful basis for processing.
- The request for consent has been made prominent and separate from your terms and conditions.
- Individuals have been asked to positively opt in using un-ticked opt-in boxes or similar active opt-in methods.
- Clear and plain language that is easy to understand, has been used throughout.
- The reason for collecting the data has been clearly explained, and information on what the company will do with it is stated in jargon-free language.
- In the case of a need for multiple consent for different types of processing, granular options to allow individuals to consent separately to different types of processing have been offered
- Your business/organisation and any third party organisations who will rely on this consent have been named.
- Individuals have been informed that they can withdraw consent at any time and they have been told how to do this.
- Individuals may refuse to grant consent without any detriment in that consent has not been made a precondition of service
Your business also needs a systems to manage consent on an ongoing basis. Getting consent is not the end of the matter. Reasons for data processing and relationships with data subjects change so it it advised to make sure of the following:
- A record is being kept of when and how you obtained consent from the data subject including full details of what exactly they are being told.
- Consent is regularly reviewed to check that processing and/or purposes of the processing have not changed.
- A mechanism is in place to refresh consent at appropriate intervals, including any parental consents.
- A privacy dashboard or consent management tool is in place to help with the management of this important area of the regulation.
- It is easy for individuals to withdraw their consent at any time and information has been made available to them how to do so.
- Withdrawals of consent is acted upon as soon as possible in accordance with the timeframe stated in the policy.
- Individuals who wish to withdraw consent are in no way penalised for doing so.