Before diving into this post, we recommend you check out our recent post on lawful basis under the GDPR. It provides useful background on when to use consent under the GDPR.
Consent under the GDPR has been a hot topic for almost all organizations required to comply with the regulation. Consent under the GDPR is defined as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The GDPR’s new requirements for consent are pretty stringent, particularly around requesting and maintaining records of consent. But we’ve done some of the heavy lifting for you. Our team of GDPR experts has identified a few key rules you need to keep in mind when creating consent forms, and built a phased checklist for collecting, recording, and managing consent.
Keep reading to learn more about consent under the GDPR, and then download the checklist when you’re ready to get started.
Meeting the GDPR Consent Notice Requirements
The GDPR is clear that consent must be unambiguous, individuals providing consent must be well informed, and consent must be freely given. Organizations complying with the GDPR must have a firm understanding of the GDPR’s definition of consent and implement a way of collecting consent from their employees and customers that is straightforward, transparent, and meets the very specific requirements of the regulation.
Under the GDPR, you can collect consent through many forms, including written, verbal, electronic, or any other form that clearly depicts the data subject’s acceptance of the proposed processing of their personal data.
While consent can come in different forms, there are very specific requirements around the wording and presentation of the consent request. Here are the important rules that you need to keep in mind when collecting consent:
1. Consent Wording: Consent must be informed.
Data subjects need to be fully informed of the processing and data practices they are consenting to before granting consent and before an organization begins processing. Data subjects must be notified of:
- The name or title of their data processor;
- The purpose and the lawful basis (or bases) for processing their data;
- The type of data that will be processed; and,
- Their rights to access, erasure, and withdrawal.
2. Consent Opt-Ins: Consent requires affirmative actions.
This means that organizations cannot include consent by default into contracts or pre-ticked boxes on paper or electronic consent forms. Data subjects must be provided an opt-in method that allows them to pick and choose the level of consent they want to provide.
3. Consent Notice: Consent needs to be distinguishable.
Organizations are not permitted to include their request for consent within their terms and conditions. You must separate your requests for consent from all other matters and make sure that the request is accessible and written in plain language for data subjects. If you’re collecting consent for various reasons, you will need to adopt a cautious approach and create a system for managing these scenarios and determining how consent applies to each one.
Understanding the GDPR's Right to Withdraw Consent
Consent is one of the six lawful bases for data processing under the GDPR, but it can be the most difficult route for data processing. The challenge with consent for organizations is the right to withdraw. Anytime during the processing of a data subject’s personal data, the data subject has the right to withdraw consent, and organizations must acknowledge and respond to the individual’s request without delay.
If you decide to use consent as a lawful basis for processing, you must ensure your organization has a robust process for managing consent, so you can easily provide consent notifications, maintain records of consent (including grants and withdrawals), and respond to requests for withdrawal without delay. Managing consent under the GDPR requires organizations to:
- Keep a record of data subjects who have granted consent to processing, the date and time consent was given, how that consent was received (i.e., electronically, after notice, etc.), and where consent was given;
- Periodically review the purpose of processing to ensure nothing has changed; and
- Create a system in which withdrawal can be conducted in a timely matter.
While the right to withdraw provides individuals with more control over their information, it may make the processing of data more complex for businesses. You should keep in mind that the right to withdraw may impact the way your organization processes data. Organizations should focus on ways to strengthen customer relationships as a preemptive solution to losing customer willingness to consent and create new systems and procedures that provide that individuals with a simple, straightforward way to withdraw their consent.
Aligning with Consent Requirements Under the GDPR
The GDPR has significantly changed the previous definition of consent in the Data Protection Directive. While the new requirements for collecting consent give EU citizens more control, they provide a significant challenge for global organizations. Due to the hurdles of complying with the GDPR’s requirements for valid consent, organizations should consider all six of the lawful bases before going the consent route.
On matters where an organization has no other route but to ask for an individual’s consent, the organization must be able to demonstrate that they are fully compliant with the new requirements and be able to provide data subjects appropriate control of their information. Lastly, the proper records of consent are necessary. It is the responsibility of organizations to prove that they have gained consent from data subjects in a lawful matter and maintained the proper documentation.
The Benefits of Alignment with the GDPR Consent Requirements
The new consent requirements from the GDPR are often met with heavy sighs and complaints, and understandably so – they’re probably going to upend your current consent processes. But there are also benefits that come from meeting these tough requirements.
- It can strengthen customer relationships. As with most aspects of the GDPR, the consent requirements are meant to give data subjects (your customers and employees) total control over their data. That’s why they have to actively opt in and why they have the right to withdraw consent at any point. But providing your customers with this control should improve your relationships with them. Handing over this control conveys that you have your customers’ best interests in mind and respect their needs and boundaries.
- It can build a trusted corporate reputation. We’ve mentioned this before, but 86% of EU consumers consider data privacy when choosing to do business with a company. Demonstrating that you are aligned with the GDPR and following its consent requirements can make a difference for privacy-minded customers.
- It can help you evaluate your current data processing policies and practices. The changes in requirements around consent are the perfect opportunity to reconsider why, how, and when your company is collecting personal data and how it is stored and managed. Every organization needs to periodically review and make improvements to these processes, and this is your golden opportunity.
We hope this overview of consent has helped you pinpoint the steps you need to take to manage consent requests under the GDPR. If you’re ready to get started, you can download our step-by-step checklist to collecting, managing, and recording consent.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This document is intended for informational purposes only.
Want more GDPR insights like this?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.