The GDPR sets a rather high standard for consent and places more control in an individual’s hands. In fact, we’ve got a webinar all about consent soon – you can sign up here. For now, here’s a brief overview on consent and why it’s so important to have it in the run up to the GDPR.
The GDPR defines consent as:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
So once you’ve got your head around that lengthy definition, you start to question “what classes as compliant then?”
It must be unambiguous and involve a clear, affirmative action. “Tick this box to agree to receive our monthly newsletter” is a good clear consent statement – don’t let people wonder about what they would be opting in for. None of that ‘Untick this box to not receive our monthly newsletter and perhaps other marketing materials’ which is ever so confusing.
Don’t mix up consent with terms and conditions – companies aren’t permitted to have it as a precondition of signing up to a service. People may want your services but not want to receive promotional material and the GDPR allows them to pick and choose what (if any), they would like to receive.
Here’s a short and sweet one: the GDPR hates pre-ticked opt-in boxes. These are prohibited because companies should never assume consent.
The new legislation requires granular consent for distinct processing options. So you can’t put ‘tick this box to receive marketing activities’ – you’d need to state which marketing activities. A newsletter? Offers? And by what medium – email, phone, direct mail? Be specific.
Record everything you do so you can prove that you gain consent in a GDPR compliant way. Keeping records should be the backbone of your transformation into GDPR compliance – if someone questions your consent gaining methods, you can be confident knowing that you can prove where, when and how you gained consent.
People need to be able to withdraw their consent easily. Inform people that they have the right to withdraw at any point and provide simple ways for them to do so. No long, drawn-out processes, or difficult to see unsubscribe links in emails. They need to be clear, obvious and easy.
What happens to all your existing records? Well if your methods of consent already meet GDPR requirements then awesome; they don’t need updating. If they don’t meet the standards then it’s probably about time to put in a new campaign to refresh the consent and be compliant. This might take some time, especially if you have a large database so make sure you don’t leave it to the last minute.
Obviously, there’s a lot of scaremongering out there about the GDPR, with companies trying their hardest to convince you that it will in fact be the end of the world. Fear not, there are plenty of resources by the ICO and the DMA to help you with GDPR and we’ve decided to join them, so for a more detailed insight into consent and legitimate interest, please sign up to our webinar.