The GDPR, or General Data Protection Regulation, is a regulation accepted by the European Union Parliament on 14 April 2016, to take effect on 25 May 2018, after a 2-year grace period. That’s just around the corner, folks. It will have a dramatic effect on how entities must treat data subjects’ information, as well as a number of peripheral compliance tasks, such as consent, reporting, contracts and more. This is a brief synopsis of how it will affect various business concerns – if you do business in the EU, you should review it carefully to see how it will affect you.
Sometimes, an explicit consent form isn’t necessary – and can even be a very bad idea, as it may trigger additional requirements, which can be expensive and burdensome. Consent is just one of six lawful reasons for processing personal data. The others are:
- A Contract (either sales or service)
- Public Task (actions by public authorities)
- Vital Interests (actions to protect life or limb of the data subject)
- Compliance with a legal obligation
- Legitimate interests (when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.)
When a consent is sought, it should always be opt-in, not opt-out. Preferably, it should be double opt-in. And there must be an opt-out/cancellation process that is as easy (ideally, easier) as the original consent. (Pre-ticked opt-in boxes are banned)
Lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as fields in a form which are clearly marked as “optional”); and
- Dropping a business card into a box.
The key is that consent requests must require a clear positive action in order to grant consent. Default settings, pre-ticked boxes, inactivity or any default bias will not constitute lawful consent. If a data subject withdraws their consent, you must remove all their data from your records.
The GDPR has teeth, too – fines of up to 4% of your annual global turnover or €20 million (whichever is greater). So it doesn’t pay to ignore it or get it wrong.
More information: https://www.eugdpr.org/ https://www.eugdpr.org/key-changes.html http://www.gf4b.co.uk/wp-content/uploads/2017/10/GDPR-Whitepaper-Forms.pdf https://www.itgovernance.eu/blog/en/what-the-gdpr-means-for-marketers/ https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent/ https://www.itgovernance.eu/blog/en/gaining-explicit-consent-under-the-gdpr-2/ https://www.itgovernance.eu/blog/en/how-to-create-gdpr-compliant-consent-forms/ http://privacylawblog.fieldfisher.com/2016/the-nuance-of-accepting-vs-reading-a-privacy-policy/