New EU wide Data Protection Regulations come into force on 25th May
2018. The new GDPR has far reaching consequences for businesses and
marketers because it imposes new requirements for organisations who
collect, process and store personal data. New fines can be imposed on organisations who do not comply.
One of an organisation's first jobs to start planning for the GDPR is to document what personal data you hold, where that data came from and who it is shared with.
Probably one of the most discussed areas of the new legislation is around the consent of the individual for the organisation to hold his/her personal data. The Information Commissioner has set out guidance for this:
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data. When consent is used properly, it helps you build trust and enhance your reputation.
The basic concept of consent, and its main role as one potential lawful basis (or condition) for processing, is not new. The definition and role of consent remains similar to that under the DPA. However, the GDPR builds on the DPA standard of consent in several areas. It contains much more detail and codifies existing European guidance and good practice.
You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:
* Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
* Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).
* Granular: give granular options to consent separately to different types of processing wherever appropriate.
* Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
* Documented: keep records to demonstrate what the individual has consented to, including what you told them, and when and how they consented.
* Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
* No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
The Information Commissioner's Office (the ICO) has a useful series of guides including a 'Getting Ready for the GDPR' which can help you work through the steps your organisation needs to take.
your FREE action plan and get started implementing the necessary changes.