Home » GDPR Consent Requirements
The introduction of the General Data Protection Regulation (GDPR) on the 25th May 2018, will cause the biggest shake up data protection laws have seen in the last 20 years. This significant piece of EU legislation has been introduced to unify data protection law across Europe, in the hope of improving consumer confidence, engagement, and privacy.
So, what does this mean in practice? Put simply, the legislation aims to give people the right to manage how companies use their data. It sounds straightforward enough, but ensuring your business gets clear consent can be a challenge.
What does Consent Mean Under GDPR?
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” – Recital 32 of GDPR.
Under current data protection laws, individuals must “signify” their agreement that an organisation can use their data. Boxes can be pre-ticked or consent can be predetermined as a condition of a sale or competition entry.
However, under GDPR, the standard of consent required is now much higher. This creates a challenge for businesses, charities and public bodies, as a failure to opt-out and vague or blanket consent will no longer be acceptable.
Once GDPR comes into force, marketers can only send communications to customers who clearly and affirmatively requested to receive the information.
Why is Consent Important?
GDPR states that gaining consent is the ‘one lawful basis for processing data’. Without consent, you have no legal grounds to process or control data. Relying on inappropriate or invalid consent could destroy trust, harm reputations and, ultimately, lead to substantial fines.
By securing consent, people have control over how businesses use their personal data. This enhances consumer trust and engagement and strengthens businesses reputations. It will also create leaner, more efficient databases for marketers.
What Determines Valid Consent?
At the point where a person’s data is acquired, you must offer a clear statement that provides specific, granular choices about how you will use their data. The consent statement must be separate from terms and conditions, be concise, easy to understand and user-friendly. Statements must also include the names of any third-party data controllers who may rely on that consent to process data.
This approach applies to all forms of communications, be it email, telephone, SMS or direct mail.
As well as this, businesses need to be able to prove that they received consent from data subjects, meaning the responsibility is placed firmly with the data processors and controllers.
You must use the following information to form part of the consent record for a user:
- Who do you hold data about and how did you get their details?
- When did you collect it?
- Why are you contacting them?
Getting your privacy policies right is a big part of GDPR readiness and acquiring consent legally. The Information Commissioner’s Office (ICO) has published comprehensive guidance to help determine privacy policies under GDPR.
How do I Gain Consent?
ICO guidance recommends that businesses should refresh existing consent policies now if they don’t meet the GDPR standard. If you can’t prove you have consent, you must have your opt-in database built before the 25th May 2018.
To ensure you have high opt-in rates, you will need to think creatively. An effective way is to offer something such as a White Paper, but you mustn’t make the download a prerequisite to join your marketing lists. It’s important that you remember consent must be freely given.
The ICO also states that: ‘The GDPR sets a high standard for consent. But you often won’t need consent. If consent is difficult, look for a different lawful basis.’ For example, instances where consent may not be needed include: when you provide good or services and hold it under contract or if two parties have a continuing (business) relationship and they have shared interests. Where healthcare providers may be able to act without consent to preserve life, the lawful basis for processing data is defined as a “vital interest”. Whatever the case may be, you should always aim to take the most logical course of action regarding consent and act with data subjects’ best interests in mind.
You need to think of your database in terms of customers, not numbers and email addresses. Consider how you would want your data to be treated and how you can add value to your customers with your communications. Always remember that honesty is crucial to maintain good customer relationships and comply with data protection law.
What to Read Next:
Like this article?
Please share with your friends