Under the current European Data Protection Directive, consent is a legally valid reason to hold and process personal data. This will continue to be the case with the introduction of the General Personal Data Regulation (GDPR). What is changing with GDPR is that the meaning of consent has more definition and businesses and organisations need to comply with this definition, and the requirements within it, in order for consent to be valid.
Getting Initial Consent
One important aspect of managing consent is obtaining it initially. Any business that wants to comply with GDPR needs to ensure that:
- There is no coercion involved, and consent is provided freely.
- Consent is provided, and used for, a specific purpose.
- Individuals fully understand what they are consenting to.
- A positive action is taken to indicate consent. Assumption by lack of action is not sufficient, neither is a prechecked tick box.
How Long Does Consent Last?
Another important aspect of consent management, that can affect compliance with GDPR, is how long consent lasts for. There is no single definition, but consent should only be used in respect of processing data for a specific purpose. Once that purpose no longer exists, consent is no longer in place. Businesses should also make it easy for individuals to opt out of consenting, if they wish to do so.
It is important that businesses keep a close eye on the consent that they have received, and consider carefully what they use it for and whether it is still current. Failure to do so could lead to a costly breach of GDPR.