Consent is one of the trickiest parts of the GDPR. Especially in practice when you start looking at it from a perspective of specific personal data processing activities whereby consent turns out to be the only or most appropriate legal basis for the lawful processing of personal data.
For consent to be informed and specific, the data subject (e.g. your customer or your employee) must at least be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against ‘function creep’. The data subject must also be informed about his or her right to withdraw consent anytime. The withdrawal must be as easy as giving consent.
The consent must be bound to one or several specified purposes which must then be sufficiently explained. If the consent should legitimize the processing of special categories of personal data, the information for the data subject must expressly refer to this.
GDPR Article 7 sums up the essential conditions regarding consent (to be valid). In a nutshell:
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be informed.
- Consent needs to be an unambiguous indication.
- Consent is an act: it needs to be given by a statement or by a clear act.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible and easily accessible
So remember:
- Make sure that consent is given freely and actively. Do not use pre-checked boxes on your webforms.
- Carefully manage the consent lifecycle: from data collection and enabling data subjects to change or withdraw consent to deleting personal data. You can use specific software solutions for consent management like i.cntrl.it
- Before looking to tools and solutions, you should have your consent mechanics in place: know where you need consent and what the consequences are for your organization in terms of personal data processing activities.
Related tips
Use adequate security measures for your data storage
Since the introduction of the GDPR legislation, we know that we cannot collect this data without permission. That is why we have provided our websites and our apps with well-written Privacy Statements and Cookie Policies.
But even if we only store this data and do not use it immediately for direct marketing campaigns, the GDPR legislation still imposes some requirements.
Show your photographer who agreed to be pictured
More and more people are really annoyed about the unconfirmed publishing of pictures. It’s not good marketing practice any longer to just move forward and publish-as-you-please.
Have your staff use the auto-lock feature on their smartphone
Via the smartphone of your collaborators, anyone can get access to their e-mail correspondence. This access is often less protected than the PCs and desktops they are using.