Saturday, 12 May 2018

How-to: ICO checklist for gaining consent on opt-in forms

Supporting the rollout of the new General Data Protection Regulations (GDPR), the ICO in the UK has published an at-a-glance checklist for items to consider on the opt-in form and signup process. The checklist includes the following items:

Asking for consent:
  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give individual (‘granular’) options to consent separately to different purposes and types of processing.
  • We name our organisation and any third party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
You also need to take into account the requirements for recording and managing those consents gathered, otherwise you run the risk of failing GDPR compliance thereafter; systems and processes must be able to interrogate those consents or else you could be in breach.

This is looking froward from the what to the how.

Recording consent:
  • We keep a record of when and how we got consent from the individual?
  • We keep a record of exactly what they were told at the time?
Managing consent:
  • We regularly review consents to check that the relationship, the processing and the purposes have not changed ?
  • We have processes in place to refresh consent at appropriate intervals, including any parental consents ?
  • We consider using privacy dashboards or other preference management tools as a matter of good practice ?
  • We make it easy for individuals to withdraw their consent at any time, and publizise how to do so ?
  • We act on withdrawals of consent as soon as we can ?
  • We don’t penalisze individuals who wish to withdraw consent


GDPR consent guidance —

What that doesn't give you is practical examples on how to lay out your consent forms. We'll look at that in following posts. RC

No comments:

Post a Comment

At least try to be nice, it won't kill you...