If you propose to use the current consent that you have from your clients or customers as your lawful basis for processing personal data, you may need to take positive steps to consider if such consents meet the new conditions under the GDPR.
Under previous data protection regulations, consent could be implied from the actions of the relevant individual or “data subject”. However, the new rules under GDPR introduce a major change to the way organisations have to obtain consent to use individuals’ personal data.
Under the GPDR, consent is more difficult to obtain and it has to be:
- freely given,
- specific,
- informed,
- properly documented, and
- easy to withdraw.
This new definition has many practical implications.
For example, if someone offers you their details and gives consent to receive one type of email communication – say, an e-receipt or details about an event – this does not give you free rein to send him or her other communications. The consent is specific to the purpose solely for which it is given.
Another example is that it is no longer acceptable to use pre-ticked consent boxes on websites or apps – that is, consumers now have to ‘opt in’ rather than ‘opt out’. Consent obtained from a pre-ticked box is not regarded as having been necessarily freely given or on an informed basis as the individual might not have noticed the box and might not be aware that he or she has given consent for their data to be used in the manner that you want it to be used.
Consent also needs to be documented and stored in a way that organisations can easily demonstrate compliance or can action a request from an individual to withdraw consent. This is a significant change and imposes additional operational burdens on a business. You need to have processes in place to be able to demonstrate compliance.
Our experienced team can explain how the new consent rules affect your business and how to ensure compliance.
