The introduction of the General Data Protection Regulation broughtwith it a greater emphasis on consent, clarifying some areas while leaving others still open to interpretation.
In short, under the GDPR:
- Consent must be freely given, specific and unambiguous
- Organisations must be able to demonstrate that a data subject provided consent
- Data subjects have the right to withdraw consent at any time
Here, we discuss three of the main consent requirements and the impact they'll have on organisationsaiming to be compliant once the GDPR comes into force.
1. Unambiguous Consent
“Unambiguous” is an extension of the criteria set out in the current Data Protection Directive. The GDPR explains that “consent should be given by a clear affirmative act ...such as by a written statement, including by electronic means, or an oral statement... Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent"(Recital 32).
If companies rely on consent as a lawful basis for processing personal data there will be a number of cases where a company This may be the case, for example, when seeking to use an individual’s sensitive personal information (such as information about their health), to send e-marketing, or when seeking to share personal information with independent third parties for their own commercial purposes.
It's also worth noting that consents collect before 25th May have to meet GDPR standards. So, organisations relying on consent as a lawful basis for process should follow these "rules" now.
2. Demonstrating Consent
Unambiguous consent alone is not sufficient. The GDPR requires in Art. 7(1) that the data controller be able to show or prove consent. “Where processing is based on consent,” it states, “the controller shall be able to demonstrate that the data subject has consented to theprocessing of his or her personal data.”
What this will mean in practice is that businesses have to maintain consent records that can be produced to show that the individual has consented, as well as how (such as through a data capture form), and when the consent took place (with an online time stamp, for example).
3. Withdrawable Consent
The GDPR has made provisions for customers who change their minds and want to withdraw their consent at a later date. Set out in Art 7(4), an individual "shall have the right to withdraw his or her consent at any time... It shall be as easy to withdraw consent as to give consent".
If an individual wishes to withdraw consent, they must be able to do so whenever they like, and the business must cease any processing activities it conducted based on that consent. It is a good practice to use the same process to collect and withdraw consent.
Here, the GDPR demonstrates how it is giving customers more control. This can be beneficial to businesses; customers who feel in control of the data a business uses about them are likely to have higher levels of trust in that business, encouraging repeat sales and business growth.
Demanding Consent Requirements
Consent is a relatively complex part of the new regulation, with aspects such as explicit consent and the special protections for children’s data requiring particular attention, depending on your business and customer base. Failure to comply with the GDPR come May would be more than remiss; substantial fines can reach up to €20 million or 4% of the company’s global annual turnover, whichever is higher.
Alongside stronger conditions for consent, the GDPR also requires organisations to bake data protection into their systems, a concept known as ‘privacy by design’. DocuSign is helping businesses from all sectors become GDPR-ready. E-signature makes it easier to obtain affirmative consent in real-time at the point of data collection, as well as to demonstrate consent with a court-admissible audit trail.
Find out more about aboutthe GDPR in our blog:4 Things to Look for in a GDPR Consent Solution.
Read our eBook
Four Strategies for Data Privacy Law Readiness
As an expert in data protection and privacy regulations, I can attest to the critical importance of the General Data Protection Regulation (GDPR) in today's digital landscape. The GDPR, which came into force on May 25, has significantly reshaped the way organizations handle and process personal data.
The article you provided delves into key aspects of consent under the GDPR, emphasizing the need for organizations to align their practices with the regulation's stipulations. Let's break down the concepts discussed in the article:
-
Unambiguous Consent: The GDPR mandates that consent must be freely given, specific, and unambiguous. The article underscores the requirement for a clear affirmative act, explicitly stating that silence, pre-ticked boxes, or inactivity do not constitute valid consent. This is crucial, especially when dealing with sensitive personal information or engaging in activities like e-marketing.
- Takeaway: Organizations must ensure that they obtain explicit and unambiguous consent from individuals, particularly when dealing with sensitive data.
-
Demonstrating Consent: The GDPR not only requires unambiguous consent but also demands that organizations can demonstrate that individuals provided such consent. This involves maintaining consent records, including details such as how and when consent was obtained. This evidentiary aspect ensures transparency and accountability in data processing activities.
- Takeaway: Businesses must keep detailed records of consent, including the method and timing of obtaining consent, to comply with GDPR requirements.
-
Withdrawable Consent: Another key aspect highlighted in the article is the provision for individuals to withdraw their consent at any time. Art. 7(4) of the GDPR specifies that the withdrawal process should be as easy as giving consent. This empowers individuals to have control over their data and fosters trust between customers and businesses.
- Takeaway: Organizations must establish user-friendly mechanisms for individuals to withdraw consent easily and promptly cease related data processing activities.
-
Demanding Consent Requirements: The article emphasizes that the GDPR's consent requirements are intricate, with specific attention needed for elements such as explicit consent and special protections for children's data. Non-compliance with the GDPR can result in substantial fines, highlighting the seriousness of adhering to these regulations.
- Takeaway: Organizations should pay close attention to all aspects of consent, including special considerations for specific types of data and user groups.
In addition to consent-related considerations, the article touches upon the broader GDPR framework, mentioning potential fines for non-compliance and the concept of 'privacy by design.' It also highlights the role of technology, such as electronic signatures, in facilitating GDPR compliance.
In summary, the GDPR's impact on consent necessitates a comprehensive understanding and meticulous implementation of the regulation's requirements to ensure legal compliance and build trust with individuals.
