GDPR Consent Requirements

Lex Riley
January 5, 2018
Clock Icon 3 min read

The introduction of the General Data Protection Regulation (GDPR) on the 25th May 2018, will cause the biggest shake up data protection laws have seen in the last 20 years. This significant piece of EU legislation has been introduced to unify data protection law across Europe, in the hope of improving consumer confidence, engagement, and privacy.

So, what does this mean in practice? Put simply, the legislation aims to give people the right to manage how companies use their data. It sounds straightforward enough, but ensuring your business gets clear consent can be a challenge.

employees checking company's GDPR compliance

What does Consent Mean Under GDPR?

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” – Recital 32 of GDPR.

Under current data protection laws, individuals must “signify” their agreement that an organisation can use their data. Boxes can be pre-ticked or consent can be predetermined as a condition of a sale or competition entry.

However, under GDPR, the standard of consent required is now much higher. This creates a challenge for businesses, charities and public bodies, as a failure to opt-out and vague or blanket consent will no longer be acceptable.

Once GDPR comes into force, marketers can only send communications to customers who clearly and affirmatively requested to receive the information.

expert icon

Need a Course?

Our GDPR Training Course is suitable for anyone who has responsibility for implementing the changes brought about by the GDPR. It will outline your main responsibilities and help you to start making the necessary changes.

Why is Consent Important?

GDPR states that gaining consent is the ‘one lawful basis for processing data’. Without consent, you have no legal grounds to process or control data. Relying on inappropriate or invalid consent could destroy trust, harm reputations and, ultimately, lead to substantial fines.

By securing consent, people have control over how businesses use their personal data. This enhances consumer trust and engagement and strengthens businesses reputations. It will also create leaner, more efficient databases for marketers.

employees revising GDPR policies

What Determines Valid Consent?

At the point where a person’s data is acquired, you must offer a clear statement that provides specific, granular choices about how you will use their data. The consent statement must be separate from terms and conditions, be concise, easy to understand and user-friendly. Statements must also include the names of any third-party data controllers who may rely on that consent to process data.

This approach applies to all forms of communications, be it email, telephone, SMS or direct mail.

As well as this, businesses need to be able to prove that they received consent from data subjects, meaning the responsibility is placed firmly with the data processors and controllers.

You must use the following information to form part of the consent record for a user:

  • Who do you hold data about and how did you get their details?
  • When did you collect it?
  • What did you tell individuals (consent statement/privacy policy) when collecting their data?
  • Why are you contacting them?

Getting your privacy policies right is a big part of GDPR readiness and acquiring consent legally. The Information Commissioner’s Office (ICO) has published comprehensive guidance to help determine privacy policies under GDPR.

How do I Gain Consent?

ICO guidance recommends that businesses should refresh existing consent policies now if they don’t meet the GDPR standard. If you can’t prove you have consent, you must have your opt-in database built before the 25th May 2018.

To ensure you have high opt-in rates, you will need to think creatively. An effective way is to offer something such as a White Paper, but you mustn’t make the download a prerequisite to join your marketing lists. It’s important that you remember consent must be freely given.

employees holding meeting to discuss GDPR

You need to think of your database in terms of customers, not numbers and email addresses. Consider how you would want your data to be treated and how you can add value to your customers with your communications. Always remember that honesty is crucial to maintain good customer relationships and comply with data protection law.

What to Read Next: