In the third of a series of posts on the General Data Protection Regulation (GDPR), which comes into force from May 25th, 2018, I’m looking at the issue of consent in relation to data collection.
Here’s what you need to know:
Consent must be active
Perhaps the most important point to remember is that, under GDPR, consent must be given via “a statement or a clear affirmative action.” So if, for example, you are recruiting subscribers for your monthly newsletter, people must actively sign up to your list – such as by ticking a box or emailing you to ask for the newsletter. Inactive consent, for example through pre-ticked boxes or automatically signing people up when they contact you for unconnected reasons, is no longer acceptable.
Also, consent must be stand alone – so must be separate from other terms and conditions.
Consent must be freely given
When someone hands over their data to you it must be given as a positive choice. So, they must not have been misled, intimidated or made to think that withholding consent will have a negative impact on them.
Withdrawing consent must be easy
You also need to provide simple ways for people to withdraw consent, e.g. by making it easy to unsubscribe from your newsletter. On this point GDPR states that “the data subject must be able to withdraw his or her consent at any time and the process for withdrawing consent must be as easy as that for giving consent.” This suggests the mechanism to with draw consent must be as clear and legible as that to give consent in the first place. Or, put more simply – you can’t bury your unsubscribe link in tiny small print at the bottom of your emails, it must be clear and legible.
Also, after consent is withdrawn, people have the right to their personal data being erased and no longer used by you.
• People must actively give consent for data collection
• Consent must be a positive choice
• You must make consent withdrawal clear and easy