When the General Data Protection Regulation (GDPR) is introduced on 25 May 2018, you may still be able to use the consent you have acquired from existing customers under previous data protection regulations, but depending on how it was sought, you may need to request it again. Under the GDPR, as under the previous EU Directive, consent must be given freely, and it must be specific and informed. As this part has not changed from the current legislation, these aspects should already have been taken into account and your organization should already be in compliance with them.
That being said, the GDPR has introduced a number of new standards regarding consent that are more detailed. You will need to ensure that your organization complies with these regulations. Below, we list and briefly describe some of the most important points that must be adhered to. If the manner in which your organization previously acquired consent does not meet these standards, then your existing consent is not sufficient and is therefore not GDPR compliant.
Consent must be separate
Consent can no longer be given by users as a part of agreeing to a larger set of general terms and conditions. The act of giving consent to collect or process data must be a stand-alone, separate action. Groups are also prohibited from making use of the service dependent on users giving consent for their data to be collected and processed, unless the data obtained is specifically required and necessary for the service to be delivered.
Pre-ticked “opt-in” boxes cannot be used
The GDPR notes that “consent should be given by a clear affirmative act”. This means that the users themselves have to take an action which is clearly shown to be for the purpose of consenting to the use of their data. A pre-checked box does not meet this requirement, as the user would need to take an action declining consent as opposed to an action providing consent. People have to actively opt-in for consent to be valid under the GDPR. Using pre-ticked opt-in boxes is now illegal.
Silence is not consent
Similar to pre-checked boxes not meeting the “clear affirmative act” threshold for consent required by the GDPR, silence is also no longer valid as a method of obtaining consent. For telephone calls or other areas where silence was previously construed as consent (for recording a call, for example), the user will now be required to take some kind of action authorizing the use of their data. This could be in the form of verbally agreeing or pressing a button on a handset.
Separate consent should be sought for separate data uses
If data is being collected with the intent to use it for different purposes, then organizations must ensure that consent is obtained for each use separately. This may mean that consent to store an email address in order to send a monthly newsletter may not be sufficient to use the same data to send weekly updates about upcoming sales or offers. This is part of the larger requirement of providing clear and informed consent.
All parties that use data must be named
Every organization must identify themselves as well as any third parties that may use the data when consent is being sought. The law mentions in Article 13 that users must be informed of the “recipients or categories of recipients of the personal data, if any” when they grant consent for their data to be used. This means that consent obtained which previously only mentioned the primary data controller but which was being sold or otherwise provided to third parties – or to only vaguely identified third parties – is no longer valid and consent must be reacquired with more explicit information provided on the eventual users of the data.
Consent must be documented
Every aspect of the consent process must be comprehensively documented by organizations. As groups will need to be able to prove compliance to supervisory authorities and in case of audits. The GDPR specifies that “the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”.
It must be easy to withdraw consent
One of the most important aspects of the new legislation is that organizations must not make it difficult for people to withdraw consent. The process must be simple – indeed, it is noted in the Regulations that “it shall be as easy to withdraw as to give consent”. Organizations must therefore take steps to make it easier to withdraw consent and to halt processing if this occurs.
Before GDPR becomes a reality, you must ensure that all of your past and current consents comply with these regulations. If you do not do this, you could find your organization on the receiving end of a significant fine.
Every organization holding personal data from people located in the European Union needs to fully comply with GDPR. It is not optional. It does not matter whether the organization has a physical or legal presence in the European Union.