The GDPR, or General Data Protection Regulation, is a regulation accepted by the European Union Parliament on 14 April 2016, to take effect on 25 May 2018, after a 2-year grace period. That’s just around the corner, folks. It will have a dramatic effect on how entities must treat data subjects’ information, as well as a number of peripheral compliance tasks, such as consent, reporting, contracts and more. This is a brief synopsis of how it will affect various business concerns – if you do business in the EU, you should review it carefully to see how it will affect you.
Sometimes, an explicit consent form isn’t necessary ““ and can even be a very bad idea, as it may trigger additional requirements, which can be expensive and burdensome. Consent is just one of six lawful reasons for processing personal data. The others are:
- A Contract (either sales or service)
- Public Task (actions by public authorities)
- Vital Interests (actions to protect life or limb of the data subject)
- Compliance with a legal obligation
- Legitimate interests (when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.)
When a consent is sought, it should always be opt-in, not opt-out. Preferably, it should be double opt-in. And there must be an opt-out/cancellation process that is as easy (ideally, easier) as the original consent. (Pre-ticked opt-in boxes are banned)
Lawful consent requests include:
- Signing a consent statement on a paper form;
- Clicking an opt-in button or link online;
- Selecting from equally prominent yes/no options;
- Choosing technical settings or preference dashboard settings;
- Responding to an email requesting consent;
- Answering yes to a clear oral consent request;
- Volunteering optional information for a specific purpose (such as fields in a form which are clearly marked as “optional”); and
- Dropping a business card into a box.
The key is that consent requests must require a clear positive action in order to grant consent. Default settings, pre-ticked boxes, inactivity or any default bias will not constitute lawful consent. If a data subject withdraws their consent, you must remove all their data from your records.
For those businesses that choose not to rely on consent under the GDPR, the language linking to their privacy policy will need to change from “I accept the privacy policy“ to “I have read the privacy policy“ (or similar). It’s important to remember, though, that relying upon consent can add a lot of compliance overhead for your organization. If any of the other five lawful reasons apply for you, you’ll be better off going that route. And if you do decide to use an explicit consent form, be aware that there are some very definitive criteria to follow, to comply with the GDPR.
The GDPR has teeth, too – fines of up to 4% of your annual global turnover or €20 million (whichever is greater). So it doesn’t pay to ignore it or get it wrong.
More information: https://www.eugdpr.org/ https://www.eugdpr.org/key-changes.html http://www.gf4b.co.uk/wp-content/uploads/2017/10/GDPR-Whitepaper-Forms.pdf https://www.itgovernance.eu/blog/en/what-the-gdpr-means-for-marketers/ https://www.itgovernance.eu/blog/en/gdpr-when-do-you-need-to-seek-consent/ https://www.itgovernance.eu/blog/en/gaining-explicit-consent-under-the-gdpr-2/ https://www.itgovernance.eu/blog/en/how-to-create-gdpr-compliant-consent-forms/ http://privacylawblog.fieldfisher.com/2016/the-nuance-of-accepting-vs-reading-a-privacy-policy/
