That’s not a simple question in this day and age, but in life – personal and business – it’s important not to over-step the mark. Consent is the legal principle that allows you to do something to or for someone else.
It’s the fundamental basis of GDPR. But it’s nothing new. A version of the Data Protection Act has been around since 1984, and consent has always been its cornerstone.
You need the consent of a data subject – a person about whom you hold information – before you use their information. What is changing, however, is how you get that consent.
The GDPR defined consent as “freely given, specific, informed and unambiguous indication … by a statement or by a clear affirmative action”.
What does that mean?
- Freely given. There needs to be a genuine choice on the part of the individual as to whether or not they give their consent. You must provide full details in advance of what data you will be collecting and how you intend to use that data. You will need to review your privacy notices and make sure that this appears in a pop up on your website
- The individual should be aware at least of the identity of the data controller and the intended purposes to which their information might be put – and informed of their right to withdraw consent. You will therefore need to ensure that any individual who signs up to receiving a newsletter for example is just as easily able to unsubscribe.
- You will be required to prove that you had consent before processing any data. That will be simpler if the processing is simple, for example signing up to a newsletter or blog, but more difficult when you are intending to process data in different ways. A clear data processing policy wil often be necessary here, so that if challenged you are able to establish when and how consent was given. .
- You can no longer rely on silence, pre-ticked boxes or inaction on the part of the individual to prove that you have their consent. The guidance on GDPR has suggested that you will be able to use tick boxes, but you will need the individual to click on the button to produce the tick.
And if you act without consent?
We know of claims specialists being set up to pursue businesses who breach the GDPR when processing data. Do you want to face a claim?
You must take steps now to ensure that you are able to meet the expanded definition of consent and keep an audit trail of exactly when consent has been given. The more you can establish that consent was freely given, informed and unambiguous and given, the easier you will be able to defend any suggestion of a breach.
Time is running out, the GDPR will come into force on the 25th May 2018, don’t get caught out! Click here to read our 12 steps to GDPR compliance.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.