The introduction of the General Data Protection Regulation in May brings with it a greater emphasis on consent, clarifying some areas while leaving others still open to interpretation.
In short, under the GDPR:
- Consent must be freely given, specific and unambiguous
- Organisations must be able to demonstrate that a data subject provided consent
- Data subjects have the right to withdraw consent at any time
Here, I’ll discuss three of the main consent requirements and the impact they’ll have on organisations aiming to be compliant once the GDPR comes into force.
1. Unambiguous Consent
“Unambiguous” is an extension of the criteria set out in the current Data Protection Directive. The GDPR explains that “consent should be given by a clear affirmative act …such as by a written statement, including by electronic means, or an oral statement… Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent”(Recital 32).
If companies rely on consent as a lawful basis for processing personal data there will be a number of cases where a company This may be the case, for example, when seeking to use an individual’s sensitive personal information (such as information about their health), to send e-marketing, or when seeking to share personal information with independent third parties for their own commercial purposes.
It’s also worth noting that consents collect before 25th May have to meet GDPR standards. So, organisations relying on consent as a lawful basis for process should follow these “rules” now.
2. Demonstrating Consent
Unambiguous consent alone is not sufficient. The GDPR requires in Art. 7(1) that the data controller be able to show or prove consent. “Where processing is based on consent,” it states, “the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.”
What this will mean in practice is that businesses have to maintain consent records that can be produced to show that the individual has consented, as well as how (such as through a data capture form), and when the consent took place (with an online time stamp, for example).
3. Withdrawable Consent
The GDPR has made provisions for customers who change their minds and want to withdraw their consent at a later date. Set out in Art 7(4), an individual “shall have the right to withdraw his or her consent at any time… It shall be as easy to withdraw consent as to give consent”.
If an individual wishes to withdraw consent, they must be able to do so whenever they like, and the business must cease any processing activities it conducted based on that consent. It is a good practice to use the same process to collect and withdraw consent.
Here, the GDPR demonstrates how it is giving customers more control. This can be beneficial to businesses; customers who feel in control of the data a business uses about them are likely to have higher levels of trust in that business, encouraging repeat sales and business growth.
Demanding Consent Requirements
Consent is a relatively complex part of the new regulation, with aspects such as explicit consent and the special protections for children’s data requiring particular attention, depending on your business and customer base. Failure to comply with the GDPR come May would be more than remiss; substantial fines can reach up to €20 million or 4% of the company’s global annual turnover, whichever is higher.
Alongside stronger conditions for consent, the GDPR also requires organisations to bake data protection into their systems, a concept known as ‘privacy by design’. DocuSign is helping businesses from all sectors become GDPR-ready. E-signature makes it easier to obtain affirmative consent in real-time at the point of data collection, as well as to demonstrate consent with a court-admissible audit trail.
Find out more about consent and the GDPR in our Essential Guide, in partnership with leading UK law firm, Fieldfisher.