News

News

Obtaining Consent Under the GDPR Checklist

On 25 May 2018, the General Data Protection Regulation (GDPR) comes into effect in the EU and across the United Kingdom. The GDPR replaces the Data Protection Act and ushers in expanded rights to individuals and their data, and places greater obligations on businesses and other entities that process personal data.

While the GDPR includes a number of important changes regarding cyber-security and data management, one of the most important changes involves strengthening the standards of obtaining consent to process data. Failure to obtain proper consent to process data, which includes contacting individuals, risks whopping fines. The GDPR’s maximum fine tops out at €20 million, or 4 per cent of global turnover, whichever is higher. The consequences are steep and there is no room for error.

But GS Group is here with guidance from the Information Commissioner’s Office (ICO) to help your business obtain consent from prospects and clients while staying compliant with the GDPR. The checklist and best practice guidance below allows you to examine your own consent processes.

To comply with the GDPR’s consent requirements and decide whether your existing consents meet the new, higher GDPR standard, your consent mechanisms should demonstrate the following:

  • Unbundled: Consent requests must be separate from other terms and conditions.
  • Active opt-in: Pre-ticked opt-in boxes are invalid – instead use unticked opt-in boxes or similar active opt-in methods, such as binary choice given equal prominence.
  • Granular: Give granular options to consent separately to different types of data processing wherever appropriate.
  • Named: Name your organisation and any third parties who will be relying on the consent.
  • Documented: Keep records to demonstrate what individuals have consented to, including what they were told, and when and how they consented.
  • Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to consent, meaning you need to have simple and effective withdrawal mechanisms in place.
  • No imbalance in the relationship: Consent will not be ‘freely given’ if there is an imbalance in the relationship between the individual and data controller.

Access the full checklist here: Obtaining Consent Under the GDPR Checklist

Latest tweet