One of the most manually intensive requirements of the EU General Data Protection Regulation (GDPR) is documenting compliance. Consent forms can be particularly tough as there are many nuances to the way in which data must be collected and stored.
This blog breaks down the things you need to consider when creating consent forms. If you want to know about the requirements for consent, look at the Regulation’s definition of consent and the the dangers of relying on it.
Request as little data as possible
The GDPR states that organisations shouldn’t process or retain extraneous personal data. That means data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose. You’ll typically need individuals’ names and contact information at the very least, but you must decide what other information, if any, is necessary for the task at hand.
Make the terms and conditions clear
You can’t hide the terms and conditions for consent, and you can’t make them so vague or complicated that people won’t read or understand them. Consent mechanisms must be easy to use and kept separate from other terms and conditions, and requests must be written clearly and concisely.
Consent forms should also let individuals know which organisations and third parties will be relying on their consent.
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
Make it easy to withdraw consent
Consent requests need to make it as easy (or easier) for individuals to withdraw their consent as it is for them to give it. This means individuals need to be told straight away that they can withdraw their consent at any time, and you must explain how to do it.
Use a double opt-in mechanism
A double opt-in mechanism guarantees that individuals don’t give their consent by accident. The first step involves a regular consent form. Once the individual has completed it, they’ll receive an email with an attached link that they need to click on to verify their consent.
Double opt-in consent doesn’t involve too much extra work for either the organisation or the individual, many people are already familiar with it as it’s often used to activate new accounts and it makes sure that those who provide their consent are genuinely interested in the service on offer.
Get consent form templates
You can get consent form templates that you can tailor to your organisation’s needs in our EU General Data Protection Regulation (GDPR) Documentation Toolkit. It also contains all the critical documents you need to comply with the GDPR, including:
- Guidelines for mapping the flow of data across your organisation;
- A procedure for conducting a privacy audit;
- Templates for creating clear and accurate privacy notices;
- A data breach notification process and procedures;
- Subject access request templates and procedures;
- An international data transfer procedure;
- Data protection impact assessment templates and procedures; and
- Important information security policies and procedures to keep your information secure.
Find out more about our EU General Data Protection Regulation (GDPR) Documentation Toolkit >>
Dear Luke. I am a podiatrist. I visit private patients in their home. All of my records are handwritten on individual records. I do not maintain computer information or mobile phone information on my patients. How are the new rules applicable to me? I am not registered under the DPA for the same reason (hand written paper documents). Thank you. Monty
Hi Monty,
The GDPR isn’t just about digital information; criminals could cause just as much damage if they got hold of paper records. You would need to follow the same rules about collecting and storing this information.
Great!
Nice article
Dear Luke, I am a landlord with a portfolio of properties in Scotland
I use contractors to do certain jobs
Like
Provide annual gas certificates,
Provide routine maintenance (Rolling lots of plumbing, joinery, electrical, landscaping) jobs into “maintenance” to keep it short.
If I understand it correctly info@yourtradesman.com needs no compliance
but
something like john-smith@joinersforyou.co.uk (this is made up) if its an actual email address that’s a coincidence.
Would need the permission of John Smith of joinersforyou.com before I could store his contact details.
Best Regards
James
Hi James,
You would need to demonstrate a lawful basis for collecting that information — but that doesn’t necessarily mean consent. There are six lawful basis in total, and consent is the least preferable.
Hello Luke,
I’m starting my own photography business specialising in events,childrens parties etc . Are there any changes I need to my permission forms due to GDPR?
Thank you