Sunday, 27 May 2018

How-to: Gaining consent under GDPR (Part II)

Five principles of consent in the GDPR

May 25th saw the implementation of General Data Protection Regulation (GDPR) legislation and I don't doubt for a minute that there are many organisations still not compliant. If you still don't get it, then first of all fix your privacy policy and post a privacy notice on your website. Second, gain consent to collect any personal information you need to keep operating.

Our last post covered the definition of consent under GDPR; looking at the practical aspects of consent under the new regulations, there are five principles of consent in the GDPR which the ICO highlights as key changes:

Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless it is necessary for that service.

Active opt-in
Pre-ticked opt-in boxes on consent forms are invalid – use unticked opt-in boxes or similar active opt-in methods, such as a binary choice where both options have equal prominence.

Provide granular options to consent separately for different channels (phone, email, SMS, direct mail) for contact.

You need to name your organisation and any third parties who will be relying on consent. Citing broad categories of third-party organisations, such as 'local authorities', or 'sports governing bodies' are no longer acceptable under the GDPR.

Easy to withdraw

You need not only to tell people they have the right to withdraw their consent at any time, but how to do this. It must be as easy to withdraw consnet  as it was to give, which means having a simple and effective withdrawal process. It must be live alongside your consents process, not 'coming soon'.

Next up, how to put these into practice on your consent forms. RC

Image credit: National Capitol Columns - Washington, D.C. By AgnosticPreachersKid [CC BY-SA 3.0], from Wikimedia Commons

No comments:

Post a Comment

At least try to be nice, it won't kill you...