UK: Consent: Getting it right under the new rules #GDPR – Part 4: Recording and Managing Consent

The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.

In order to get valid consent from individuals under the GDPR, you will need to think carefully about how you (1) request, (2) record and (3) manage consent (but remember consent isn't always the most appropriate legal basis for processing – for more information see yesterday's blog).

(1) Requesting consent

When requesting consent, there are a few simple rules to follow to ensure that you do not fall foul of the GDPR:

• Consent requests should be kept separate from general terms and conditions and should be in clear, easy to understand language (remember – it needs to "stand out from the crowd").
• You should avoid confusing or technical language and use consistent language across consent options (remember – "plain and clear").
• In order to make your consent requests as specific and informed as you can you should include the name of your organisation and any third parties who will be relying on the consent or data, why you want the data and what you are going to do with the data (remember – "all purposes need to be explained").
• You should also make clear to customers that they can withdraw consent at any time and how to do this (remember – "it should be as easy to withdraw consent as it was to provide it").

Methods of obtaining consent

There are numerous methods you can use to request consent but keep in mind, whatever you do decide on must meet the test of an unambiguous indication by clear affirmative action as defined under the definition of consent in the GDPR. You must therefore ask individuals to opt-in to consent. You can do this in many ways, for example by getting the individual to sign a consent statement on a paper form, by ticking an opt-in box electronically, selecting from yes/no options or responding to an email requesting consent. Opt-out boxes, unlike pre-ticked boxes, are not expressly banned by the GDPR; however, since they are essentially the same, we assume these too will be covered by the GDPR ban.

(2) Recording consent

Once consent is obtained, it should be recorded in a manner which allows you to keep a record of how and when consent was given by an individual. In order to keep good records on consent, you should be able to show who consented, when they consented, the information they were provided with prior to consent and how they consented. The information, for completeness, should also include whether they have since withdrawn that consent. How you comply with this obligation will differ from organisation to organisation; however, it may mean, for example speaking to your software developer to see if your current systems can assist you here or whether they can help your management of this obligation.

(3) Managing consent

Consent is part of your ongoing relationship with individuals (it is a "dynamic" thing) and should therefore be managed appropriately:

• It is good practice to provide individuals with preference tools where they can easily access and manage their consent and change their preferences if needed.
• If anything about the original consent changes, in any way e.g. the nature of the data you are processing or, for example, you now want to process the data for a different or additional purpose, then you will need to get fresh consent from the individual – that's only fair.
• If there have been no changes in the data processing, it is good practice to refresh consent on a regular basis. The ICO recommends refreshing consent every 2 years – but you will need to think about what is appropriate to your business and the type of data you collect and use – and even the individuals from whom you collect the data.
• The GDPR gives individuals the right to withdraw consent at any time. You must provide a mechanism for the individual to withdraw at any time, on their own volition. You must make it as easy to withdraw consent as it was to consent originally. You should be able to manage withdrawals of consent and ensure that data processing is stopped as soon as possible after the withdrawal is made.

Final Thoughts

Now, at the end of our mini-series focusing on the ICO guidelines on Consent, what have we learned?

What to do next?

We encourage all businesses to review the data you hold; how you came to hold that data; and why you hold it. You should also review whether you have a valid basis for processing that data – including consent where appropriate. Conducting a review of your data processing activities will ensure that you are compliant with the GDPR when it comes into force.

MacRoberts provide data protection audit services and other compliance services to help your business in the transition to the GDPR.

Read Part 1: Consent: Getting it right under the new rules #GDPR – Part 1: What is Consent?
Read Part 2: Consent: Getting it right under the new rules #GDPR – Part 2: What does this mean for your business?
Read Part 3: Consent: Getting it right under the new rules #GDPR – Part 3: Do we always need consent?

Contact our Specialist Compliance and Regulatory Lawyers

MacRoberts' team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.

© MacRoberts 2017

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.