Consent under the new General Data Protection Regulations (GDPR) is all about empowering consumers. It means that your organisation must give individuals real choice and control over how you communicate with them and process their data, and indeed if they want to let you do so.
On the plus side, this can help you build customer trust and engagement, and enhance your reputation. Equally, you’ll have to review your data processes and probably your marketing strategies too.
Here are some top tips on how to obtain, record and manage consent under GDPR.
How to comply with rules of consent under GDPR
Work out whether your current processes for obtaining consents meet the GDPR requirements.
You’ll need to identify all processes that are legitimised through the individual’s consent. Be aware that not all processes require consent, although you still do need to state a specific legal justification for data processing, whether consent is the appropriate reason or not. You can read what Elizabeth Denham, information commissioner, has to say on the subject in her blog “Consent is not the ‘silver bullet’ for GDPR compliance”.
Where consent is required – for example in your marketing outreach - consent must be freely given, specific, informed, unambiguous and explicit. Review and amend your existing consent forms to make sure they’re in line with GDPR requirements. You’ll need to record all of this so you have a clear data trail, including for the scenario where someone withdraws their consent.
What you cannot do when obtaining consent
For GDPR compliance, it’s important that you don’t:
- Use pre-ticked boxes or any other kind of default consent
- Muddle your consent requests in with other terms and conditions
- Assume consent for one form of communication or processing means consent for all things – vague or blanked consent isn’t good enough
- Make consent a precondition of a service
- Use over-complicated language – make it easy for the person to understand
How to record and manage consent
Make sure to keep a record of when and how you obtained consent, and exactly what your customers were told.
Your next step is to demonstrate that you’re managing them responsibly. This involves regularly reviewing consents to check that the relationship, processing and purposes haven’t changed – in which case you’ll need to put processes in place to refresh consent at regular intervals.
If you don’t have one already, it’s good practice to set up a dashboard on your website where people can manage their preferences - what communications they want from you, when and on what subject.
If someone wants to withdraw their consent, they need to be able to do it at any time and easily. Plus, you must act on that consent withdrawal as soon as possible, and avoid penalising the person in any way.