The new consent requirements introduced in the GDPR (General Data Protection Regulation) mean you need to be extra vigilant when it comes to requesting information. The rules for lawful consent are much tougher than in the past, and savvy data subjects will be bound to query anything that seems suspicious.
You can be sure your data processing activities meet the GDPR’s consent requirements by follow these guidelines.
Request as little data as possible
The GDPR states that organisations should only process personal data if it’s collected for a specific purpose and used only for that purpose. Once the information is no longer needed, organisations should erase it.
You’ll typically need individuals’ names and contact information at the very least, but you must decide what other information, if any, is necessary for the task at hand.
Make the terms and conditions clear
When you request information, you must provide clear and simple directions to view your terms and conditions. With an online form, you should consider creating a link at the top of the request form; physical forms should come with the terms and conditions included. In both instances, the documentation surrounding consent must be kept separate from your other contractual statements.
You must write your conditions for consent in plain language, avoiding vague terms such as ‘might’, ‘some’ and ‘possibly’. You should also state definitively whether the information will be shared with third parties.
Watch our webinar recording GDPR webinar, Challenges for data protection officers (DPOs).
Use a double opt-in mechanism
A double opt-in mechanism guarantees that individuals don’t give their consent by accident. The first step involves a regular consent form. Once the individual has completed it, they’ll receive an email with an attached link that they need to click on to verify their consent.
Double opt-in consent doesn’t involve too much extra work for either the organisation or the individual. Many people are already familiar with it as it’s often used to activate new accounts and it makes sure that those who provide their consent are genuinely interested in the service on offer.
Make it easy to withdraw consent
You need to make it as easy, or easier, for individuals to withdraw consent as it is for them to give it. For example, if your consent mechanism involves directing individuals to a form and asking them to tick a box, then a similar system must be in place for withdrawing consent. You can’t ask them to take additional steps, liking phoning a helpline or sending an email.
The way in which data subjects can withdraw consent must be outlined in the initial consent form, along with an explanation of their other data subject rights, such as the right to access any information the organisation holds them and to challenge any processing activity that they are unhappy about.
Get consent form templates
You can be sure that your consent form meet the Regulation’s requirements by using our GDPR Starter Bundle.
This package contains a toolkit that includes over 80 GDPR templates, including policies, procedures and checklists, as well as software and online training options that can help boost your compliance efforts.
A version of this blog was originally published on 25 August 2017.