One of the key principles of GDPR is the right to clear and transparent information which was emphasised by Helen Dixon last week when she spoke at the CIPL/Irish Data Protection Commission Workshop on accountability. With this in mind, this week we are going to look ways of obtaining consent that is transparent and uses clear and plain language.
Consent is one of the six lawful reasons to obtain and process data and to use consent as a legal basis it must meet certain conditions. Under GDPR it defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
What this means is that the consent must be:
- Freely given
Freely given means that there should be no conditions attached to the consent. You cannot force a data subject to give consent and it must be made very clear what they are signing up for. If you must process data you need to choose another legal basis for processing it. In addition the use of pre-ticked boxes or silence is no longer seen as freely given consent under GDPR.
An example of asking for consent in a clear and transparent manner might be as follows (please note this example is for illustrative purposes only):
Yes I would like to receive updates from Joe Bloggs Limited on products & services, promotional offers, events and news from Joe Bloggs Limited via:
SMS – tick box Email – tick box Post – tick box
No I would not like receive any updates – tick box
The customer is clearly able to select their preference on the communication method and select either yes or no to give their consent. One of the key principles of GDPR is to protect the data privacy rights of individuals. By clearlyand freely asking for consent it demonstrates that your business is upholding the rights of the individual and this creates trust between the business and those who interact with the business.
The request for consent must be specific so that the person giving their consent is very clear on why they are handing over their personal data. Using the example above it details exactly what the customer is signing up for. However, if Joe Bloggs Limited wanted to contact its customers for another reason, they would need to get additional consent for that. It is helpful to determine all the reasons why you want to contact your customers and list them when obtaining consent in the first instance as it saves you going back to them in the future.
In order for the consent to be informed, the above example lets the data subject know exactly what they are signing up for, the name of the company who they are signing to and they can choose their preferred method of communication if they choose the yes option.
Finally the above example is unambiguous because it gives the data subject the option to select yes or no in an affirmative answer even when they select the no option. If you choose to use consent as your legal basis be aware that the data subject can revoke their consent at any time and ask for their data, including any back ups, to be erased. Before looking into obtaining consent, it may be better for your organisation to rely on a different legal basis to process data.
Next week we will look at the six lawful reasons to obtain and process data. In the meantime you can avail of the GDPR toolkit to conduct your GDPR audit from the SFA website.
If you would like more information on GDPR or to discuss your requirements further please contact Helen at SFA on 01 605 1668 or at firstname.lastname@example.org or visit our HR and Employment Law advice section on www.sfa.ie