Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can prove the lifecycle of this data when it comes to a Subject Access Request.
Let's start with one of the ending points of our previous article, "As a rule of thumb; only use explicit consent as a last resort, as this can be withdrawn at any time". The first thing to consider is whether consent is the best and most appropriate lawful form of processing?
When it comes to opt-in, have you stated the opt-in for your customers and data subjects in clear, plain language and not buried it deep in a set of terms and conditions? Also not using any pre-ticked boxes as they must positively opt-in themselves and have granular options that clearly define the specific processing types; email, telephone, post as just a few examples of such definitions.
When asking for consent have you stated the basic essentials? Who your organisation is and how you are going to be using the data.
How about informing the individuals that they can withdraw their consent at any time? Explain they can even refuse to consent without detriment to them, or that not providing consent is not a precondition of providing a service.
Most importantly if the service you are offering is online and directed at children, then only to seek consent if you have age verification in place and parental consent measures to back up this consent.
Let's move on to how you record and manage consent. How do you record how you obtained consent, when you obtained it and exactly how this was stated to the individual at that time? This is a requisite of a privacy notice.
Do you regularly review consent, checking if the purposes for processing are accurate and if they have changed, that you have processes in place to refresh the consent at an appropriate period (especially parental consent).
Have you considered the use of a preference management tool, like a gateway or portal, to make it easier for individuals to manage or withdraw their consent and have you made public these measures of how to use these tools?
Letting your customers know that you will not penalise them for withdrawing their consent and that you process these consent withdrawals as soon as feasibly possible is good practice, as well as a good customer service ethic.
Now you have your consent in order, do you know what you are actually capturing? This also extends to what you have already captured.
A data audit is a good practical step to help in understanding the information you hold and knowing your processes. How you capture this data will aid with how and what you are using it for. Information also requires review, to consider how good the quality of the data is, as often you are reviewing this information you hold to assess who has access to it, who you share it with and then decide how you implement control over the data you hold.
The final piece should always be about retention and indeed the right of erasure, but these are covered in our other articles and throughout the be.GDPR and be.Privacy products.
The new data protection law (GDPR) will impact every organisation that holds or uses European personal data, not only applies to organisations located within the EU, but also apply to organisations located outside of the EU. To help explain this further please read our article on “GDPR are you ready?”
For more information on who the EU GDPR affects please read our other articles https://www.beinfoready.co.uk/latest-data-news/
So having followed this advice, when you receive your first Subject Access Request under the General Data Protection Regulation, you can provide everything you need quickly and certainly within the allotted one month response period, then you can truly state that you can be.Infoready.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.