With the imminent introduction of GDPR on May 25th, you may have noticed you're getting a flurry of 'opt-in' emails from your various membership sites, news groups, mailing lists and social media.
Ad per the new rules, they are all trying to gain renewed consents to contact you. The the key question is: what counts as consent under GDPR?
The GDPR definition of consent reads:
"any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"Which may not be all that readily obvious. So let's break that down.
The first significant pillar of GDPR, your organisation has to offer real freedom for individuals to make a choice. For legal reasons, public authorities can’t freely offer consent choices, and employers have limited choices for employees owing to the regulatory nature of the relationship; in most other cases, individual consent is a mandatory.
Generic consent is no longer valid; consent should be specific about the intended purpose, method of processing, channels of use, sharing and , retention.
Not only must the individual be informed of the purpose and use of their personal data, they should also be made aware of their rights such as the right to withdraw consent. The language, images, graphics, layout of choices must not be misleading or obscure, so that the grounds for consent may be well understood by the individual.
This takes out the practice of default choices such as default opt-in, pre-ticked boxes and questions in the negative.
There is a special category of consent called "Explicit consent" which is required to process special category data and automated decision making. The key difference is, ‘explicit’ consent must be affirmed in a clear oral or written statement.
What does this look like on the screen or on paper? Following posts will describe what we're doing with clients. RC