GDPR: What changes will mean for consent.

With everyone talking about GDPR and our clients frequently asking us whether they are doing enough to comply we thought we ought to shed some light on one of the most prominent topics in our industry – consent.

The GDPR drastically changes what can be classified as consent and having an understanding of the new requirements will help you make the necessary changes to stay within the law through the period of change and beyond.

“Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This will see many current practices fall into extinction, for example pre-ticked boxes, bundling extensive T&C’s and silence statements. These practices will make way for other acceptable solutions which involve individuals actively completing an action, such as ticking a box by a simple and specific statement and offering written consent.

Below we have provided you a simple checklist for ensuring you are covering all bases and being compliant in your approach to consent.

• Unbundled – consensual statements for data usage must be separate instances from other terms and conditions
• Active Opt-in – consent must be given through an action, for instance ticking a box. Pre-ticked boxes are invalid
• Granular – similarly to ensuring consent is unbundled, it must also be specifically broken down into types of processing and provide a compliant option for consent for each
• Informed – any explanation of data processing should be clear and simple for the individual to understand what they would be consenting to so that can make an informed decision
• No Imbalance of Power – consent cannot be freely given if power over individual is used to gain consent, power flow must be equal with no consequences for no consent
• Easy to Withdraw – perhaps the most notable element of the GDPR is the ability to be forgotten and gain all information a data processer has on you and demand that they no longer have that information

The best solution for any data processer will be to check you are compliant by this checklist and then keep a record of all data you receive, detailing who consented, when they did so, what information you gave them and how they consented to sharing their data.