GDPR consent requirements
With the date of GDPR enforcement just one year away, more businesses than ever are learning about the new, incoming directive and planning the changes required to be fully compliant. Among the updates and revisions all businesses who have dealings with consumers from the European Union will need to make, are those surrounding ‘consent’.
Consent around personal data, how it will be used, where it will be shared and how long it will be held, is something that’s been a problem in recent years. And, given how often the issue of consent around customer data sharing raises its head, the GDPR was seen as the perfect opportunity to clear it up.
Under the UK’s current Data Protection Act, consent isn’t explicitly defined. Under GDPR, it is. With strict fines to be issued for non-compliance to the GDPR, we’re going to explain how the new consent rules will affect your business and how to ensure compliance.
Consent Defined for the GDPR
When it comes to processing consumer data, companies – all companies – are required to secure consent from the consumer whose data they want to use and/or share. In the past, the idea of consent has been discussed and argued, but explicit agreement of when consent has and hasn’t been given, is still something that is open to interpretation.
The attempt to ease this problem for the GDPR and define consent with regards to general personal information and sensitive personal information, is as follows:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement….Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
And that’s not all the EU has to say on the subject of consent. If you want to see it all, the latest version of the GDPR, will keep you busy.
As you can see from the short excerpt we’ve selected, the GDPR takes consent very seriously – as it should – and is attempting to clarify exactly what is meant by it. The very fact it is working hard to pin down a water-tight definition of consent with regards to consumer data, means that you should have the right systems in place to make it work for your business, too.
In plain English, the GDPR wants every request for data to be clear in:
- What data is requested.
- Why the data is needed.
- How the data will be used.
- Clear reasoning as to why the business wants to use the data for the reasons they’ve indicated.
- Parental consent for children’s data (under the age of 16) will be required.
- Consumers to have the ability to change their mind and request their data be deleted.
- A real choice as to whether the consumer wants to hand over their data or not.
- A simple but clear way for the consumer to actively and freely consent to their data being used.
Some Confusion Remains
Although the GDPR has attempted to formalise exactly what it means by consent, and is acceptable in terms of consumers giving consent for their data to be used, there is still some uncertainty. Earlier this year, the Information Commissioner’s Office (ICO) launched a short consultation around the consent question and received around 300 responses over a period of only a few weeks.
The ICO is now assessing the responses, crunching the data and intends to publish a report and some guidance, in June 2017. This level of communication over the consent definition highlights that to many businesses, the GDPR isn’t clear enough.
How Businesses Can Comply with GDPR New Consent Rules
Right now, no response from a consumer whose data you hold, or a pre-ticked box on communication between the two parties, is enough to constitute consent over using a consumer’s data. From May 25th, 2018, that will no longer be the case.
In order to comply with the new rules around consent, there are a number of things you’ll need to do. They include:
- Ensuring all of your marketing materials, consumer contact forms and emails and online forms and requests for data, give your customers and potential customers, the option to share their data with you.
- You’ll also need to have reasons as to why you might use and store that data.
- Another requirement will be proving the benefits of sharing that data – but clearly giving the consumers the ability to actively consent to you doing so or not, perhaps with a tick box or following a link.
- Communications will also need to include details on how to request your information is deleted from your and your partner’s data bases.
Essentially, a thorough review of all your online content, email marketing and customer contact templates and any hard copy materials, is required. If you use an agency or another third-party to manage your content and communications, then you’ll need to ensure they do this.
And, because it’s ultimately the responsibility of the business who consumers are contacting – and not the third party that manages it – you, as a business, will still need to check everything. It may be an arduous process. However, it will give you the confidence to know that every time your business requests personal information from customers and potential customers, they’re doing so in a fully GDPR compliant way.
It Will Be Worth While
With recent incidents of Ransomware attacks and knowing that millions of people’s personal information – sensitive and otherwise – is in jeopardy of being ensnared by criminals, it’s surely much safer to know the information held was obtained in a completely compliant way. Of course, that doesn’t stop data leaks. But, if you can prove you obtained and were storing that data legitimately, then it’s at least one less detail to worry about.
Making a business fully GDPR compliant isn’t going to a walk in the park for anyone. However, if you can understand what’s required and get to work on the trickier bits – such as creating the correct details around consent – then your businesses should be well-placed to be GDPR ready, 12 months from now.