All businesses should be aware that you need a lawful basis for processing your customers’ personal data. If you rely on consent, then this must be freely given, specific and a clear indication of the individuals’ wishes under The Data Protection Act 2018 (DPA).
To assist organisations, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), has produced the following detailed guidance: ICO - Guide to the General Data Protection Regulation (GDPR).
The ICO’s guidance notes explain that the GDPR’s standard of consent requires:
- an “unambiguous indication of the data subject’s wishes… by a statement or by clear affirmative action” (the ICO gives a helpful list of some opt-in mechanisms)
- for purposes requiring explicit consent (e.g. processing sensitive personal data), you must obtain consent by an express statement confirmed in words versus other affirmative actions
- a more granular opt-in method for distinct processing operations (applicable if you process personal data for more than one purpose or use different types of processing mechanisms)
- a simple, easy-to-access way for people to withdraw their consent
There are also requirements for obtaining children’s consent for online services, and consent for scientific research purposes. The ICO has published separate guidance on children’s privacy: Children and the GDPR.
Here are some more tips to keep in mind:
- Active opt-in: silence, pre-ticked boxes, inactivity or blanket acceptance of your terms and conditions are invalid – remember, failure to opt out is not consent.
- Unbundled: consent requests should be separate from other terms and conditions – do not bundle your request with other terms and conditions or bury it. Use plain English when asking for consent – make your request prominent, and keep it concise and easy to understand.. Giving consent should not be a precondition for the service you are providing (unless necessary for the service, in which case examine other potential lawful bases of processing such as necessary for the fulfilment of a contract).
- Named: who will rely on the consent? Make sure to name your organisation and any third party organisations who will rely on this (e.g. do not just say “and our third party partners” or categorise third-party organisations).
- Documented: once you have obtained the individual’s consent, keep clear records for your audit trail (including what they were told, and when and how they consented) and keep these under review.
- Easy to withdraw: it must be as easy to withdraw consent as it was to give consent. This means that you must tell people they have the right to withdraw their consent at any time and how to do this. You need to have simple and effective withdrawal mechanisms in place.
The ICO’s guidance notes provide a helpful checklist, but if you require further assistance or information in regards to the GDPR, we are happy to assist. Please also refer to our GDPR guide for more information: The General Data Protection Regulations, A Quick Guide
A final word of warning – please pay careful attention to the ICO’s note about the penalties for getting this wrong. Not only may businesses suffer reputational damage, but they could face heavy administrative fines (the higher of up to €20 million, or 4% of total worldwide annual turnover)!