What are the GDPR Customer Consent Rules?

When the General Data Protection Regulation (GDPR) comes into force on 25 May 2018, rules for obtaining consent are going to be more stringent than they are at present. Business owners and data protection specialists need to be aware of the changes. If they do not make sure they are aware, they could be faced with a hefty fine, or other enforcement methods.

It is important to remember that any business must have consent before directly marketing their product or service to people, by telephone, email or text. They also need consent to pass details on to a third party.

What constitutes consent?

One of the most important things to consider, when GDPR comes in, is that consent needs to be obvious, the person giving the consent has to have taken some form of action to show that they understand what they are agreeing to, and are happy to consent, and consent has to be given freely by the said individual. One obvious change that this brings is that businesses will no longer be able to use pre-ticked boxes when acquiring consent. The failure to “un-click” a pre-ticked box is an act of omission rather than a positive act, therefore for the purposes of GDPR it is not a legitimate manner of obtaining consent from a subject.

How can a business obtain consent?

The one thing that a business should not do to obtain consent is contact an individual directly. This in itself is considered to be direct marketing, and is illegal. The best way to obtain consent is to use a full explanation and a tick box. Businesses can also ask for people to complete an online form, or send an email.

The most important thing to remember, for any business, is that they need to be able show when and how consent was granted, as well as who acquired it.

Many businesses already comply with all of the consent requirements that GDPR stipulates. But, any that do not will need to make changes, or face potentially severe punishment.

Every organization holding personal data from people located in the European Union needs to fully comply with GDPR. It is not optional. It does not matter whether the organisation has a physical or legal presence in the European Union.