Managing GDPR's Consent Requirements
by Jaap van Duijvenbode on April 24, 2018
GDPR makes the process of obtaining individual consent and processing data a dangerous task. Failure to follow consent regulations can cost you between 1) the greater of €10 million or 2 percent of your global turnover and 2) the greater of €20 million or 4 percent of your global turnover, depending on the specific violation.
It's up to you to understand what's required, and to come up with effective policy management processes. Data needs to be handled in good faith, with each individual's understanding and consent for how you plan to use their data. Centralizing your data and setting up role-based access policies can prevent a lot of legal hassles and some painful financial losses.
What Is Consent in GDPR?
Before a controller can process an individual EU resident's data, the controller has to obtain consent under the GDPR to process that data. The age of consent is 16 across the EU, although member states can pass their own laws that place age of consent no lower than 13. Under the GDPR consent must follow a few guidelines:
- Freely given Each individual should have a choice about whether to share their data for processing. You can't deny service to anyone who says "no," and they should be able to withdraw consent without losing access to a service.
- Specific You have to obtain consent for data processing separate from other agreements; in other words, you can't bury it in your terms and conditions, and then force someone to accept the terms and conditions in order to use your products or services. You also have to obtain consent for each processing activity, and, if one processing activity has multiple purposes, you must obtain consent for each purpose.
- Informed Individuals should be aware of the controller's identity and the specific purpose of the processing activity. You must also inform individuals of their right to withdraw consent.
- Unambiguous It should be clear to the individual, to the organization, and to any regulator, that the individual intended to provide consent.
- A statement of clear affirmative action No pre-ticked checkboxes on a form. Again, no burying the affirmative statement in your terms and conditions. You have to identify yourself, explain what you plan to do with the individual's data, and ask them if you can retain and process it.
Certain types of processing require "explicit consent," which means you have to obtain agreement orally or in writing. You need to put strict policy management in place around special categories of personal data, including data that can demonstrate...
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Personal health insights
- Sexual orientation or preferences
You must also obtain explicit consent before obtaining data for automated processing and before transferring individual data to a country that lacks adequate data protections.
Individual's Rights Concerning Their Data
- GDPR codifies three main rights that individuals now have concerning their data. The first, in Article 17, is the right to erasure, popularly called "the right to be forgotten"; if someone withdraws consent for processing, then you're responsible for deleting the data.
- The second, in Article 18, the right to restrict, means that individuals can ask you to discontinue current and future data processing, and you have to comply unless processing is necessary for a legal claim.
- The third right, in Article 20, is the right to receive, which means that an individual should be able to receive from you, upon request, all individual data about that person that you possess.
Processes and Policy Management
There are certain interactions between your organization and individuals that have a clear opt-in character: the subscription to a newsletter or to a blog, for example, or the decision to share an email address in exchange for downloading a content asset. In those instances, you need to add some information to the opt-in process you already have. You should explain what you plan to do with the data and add a statement about the individual's right to withdraw consent at any time.
Automatic opt-in should become a thing of the past. You should no longer, for instance, pre-fill checkboxes to sign up for your newsletter when a customer places an order. Also, in processes where you've been capturing data without really mentioning that's what you're doing—for example, if you save your customers' browsing history for use in an online retargeting ad later—you need to create an opt-in process. You can personalize it to your organization, keeping in mind that it should be a clear, concise, and separate permission that's made with minimal disruption to the individual's interaction with your organization. You should also make it easy for them to withdraw consent whenever they wish.
Talon FAST™ helps you take control of policy management through data centralization and helping you control access to that centrally stored data using Active Directory or other identity and access management tools. You no longer have to worry about copies of data being stored at your remote and branch offices thanks to the Talon FAST™ intelligent cache, which only caches data locally when it's active and periodically purges inactive data in the cache according to policies you set. Learn more about the Talon FAST™ solution and how it can increase transparency around your data flows, simplify security, and help your actual processing activities to be consistent with what individuals expect when they give their consent.
Finally, remember that the burden is always on the controller—you—to show that you've obtained either unambiguous or explicit consent, depending on the standard. Build record retention policies for consent opt-in, so that you can always show you acted in good faith, and make it easy for individuals to exercise their rights to receive and restrict, and even their right to be forgotten.