Consent under GDPR
Consent under GDPR means providing individuals with a genuine choice over how your business utilise their information. If the individual has no actual choice, consent isn’t freely given, which means that it would be invalid. This suggests individuals must have the capacity to control their data with no effort and must have the ability to pull back their consent effectively at any point. Likewise, consent under GDPR suggests terms and conditions must be clear with no excessive about data procedures, deletion and retention policies(giving separate consent alternatives for various sorts of handling) wherever conceivable. The GDPR states that seeking consent should not be a necessary condition unless is necessary for the services. Article 7(4) says:
“While evaluating whether consent is voluntarily given, the most important aspect to be considered is whether the execution of a contract, including the agreement of an account, is contingent on agreeing to the handling of individual information that isn’t vital for the execution of that agreement.”
“Consent is assumed not to be unreservedly given if the execution of an agreement, including the arrangement of a service, is subject to the consent despite such consent might not be fundamental for such agreement.”
In our GDPR blog, we’ve already discussed the various aspects and industries affected by GDPR, and you’ll be glad to hear we have another detailed guidance on consent to help you with your GDPR compliance. This article follows the requirements issued by the European Group of Information Security Specialists, the Article 29 Working Party. From tech companies to public and non-profit organisations, consent under GDPR is highly debated topic.
Here some of the false understandings surrounding GDPR “won’t be able to send my bulletin out anymore” or “you must get a new consent from your past work”. We can state that this is entirely false, however, if deception is as yet being bundled as the truth, we need to dispute them.
Find out more about GDPR Technical Requirements
Consent under GDPR is not a compliance guarantee
As the Information Commissioner’s Office (ICO) states in her blog consent does not guarantee the GDPR compliance for your organisation and just one approach of the many GDPR requirements, yet it’s by all account not the only way.
Scaremongering articles about consent under GDPR frequently need further information about all the distinctive legal bases companies could use for processing and retaining individual’s data.
For handling to be legitimate under the GDPR, you have to distinguish a legal basis to do so. There are six legal grounds available for you to choose from. No single assumption is ‘better’ or more essential than the others – which one is fitting will rely upon your business industry and relations with your clients.
1. Consent: the individual has given clear consent for you to process their data for a specific purpose.
2. Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
In case your company is still trying to become GDPR compliant, you should proceed with your efforts even now when the deadline passed. You have to remember that the deadline is just a beginning and GDPR compliance culture should be an ongoing process. Companies need to tailor GDPR culture from the highest level management in their operations and sustain their effort over time. This is the ideal approach to comply with GDPR.
See also GDPR for Tech Companies: Compliance Guide
Consent under GDPR from past clients
Companies don’t need to obtain new consent from their previous clients in anticipation with GDPR. Consent under GDPR sets a higher standard than Data Protection Act, so it’s critical to check data procedures and document them to make your past consents meet the new GDPR bar. On the plus side, if they already do, there is no reason to get fresh consents. Where you have already established relations with current clients who have acquired products or services from your organisation, it may not be essential to get a new consent.
It’s necessary to note that in some cases it may not be appropriate to recollect new consent under GDPR if you are uncertain how you gathered and processed individual’s data because the consent would not meet the standard under the current Data Protection Act.
You may have noticed that companies send these long emails inquiring as to whether customers are still happy to hear from them. So consider whether you have to get a new consent before you send that email and keep in mind to set procedures in place for individuals to withdraw their consent effortlessly. Furthermore, if your organisation to make any changes to their current terms and conditions, they must notify users about it.
If consent under GDPR does not have already well-established legal basis, companies should focus on setting up informative and unambiguous terms. Businesses risk non-compliance if their messages are too long and vital information is hidden ambiguous text. Individuals should unmistakably comprehend what they agree to. Being transparent and straightforward is a crucial part of the consent under GDPR, and the ICO has provided guidance on educating individuals about how their information is utilised.
Before sending your emails, your organisation must consider what is the best approach to reach out to your clients because it might not by email. Consider data protection by design. More specifically, where can this information be presented to have practical impact and visibility.
Some organisations believe that they will lose customers and business by complying with GDPR, but the truth is that it makes companies more trustworthy and can give them a lead in boosting customer satisfaction and build client confidence. A research shows that just 20% of the people in the UK have trust and confidence in organisations handling their personal data.
Check our article on GDPR for Small Business Owners
Get GDPR Ready with Apex
City & Guilds Accredited eLearning
Develops Data Safety knowledge
Instantly available course
Completed in 60 minutes
Subject Access Request game
Interviews with legal experts
Certificate for your CV