How-to: Gaining consent under GDPR (Part IV)

GDPR came into effect on May 25th, and after all the research, interpretations and recommendations, what did we actually implement on our consent forms?

The forms currently in use by our main client currently look like this:

Permissions (please tick):
  • I give permission for first aid trained staff to carry out any emergency medical treatment required by my child during the session(s).
  • I confirm that my child is in good health and fit to participate in supervised activities.
  • I consent to photographs/film being taken of my child. These will only be used to meet funding requirements, or to be published in local newspapers or on [Organisation]'s promotional materials, such as posters, the website, Facebook and Twitter.
  • I consent to being contacted about [Organisation] activities I have booked myself/my child onto to receive important information about the activity
    • by email
    • by SMS text
    • by telephone
  • I would like to receive information about [Organisation]’s activities and other events by email.
[Organisation], on behalf of itself, employees and agents, hereby disclaims all liability, except where negligence can be proven in respect of personal injury or loss suffered by participants attending its sessions/activities. 

[Organisation] reserves the right to cancel any activity where insufficient numbers apply and to ask you to collect your child immediately if your child behaves in a manner that is deemed unacceptable. Please note you can change your permissions by completing a new registration form or opting out online. 

For [Organisation]’s full privacy policy or to opt out online, see our privacy policy.

This one doesn't do anything by postal mail (charity organisation; printing and postage is too expensive), so we were able to drop that one.
Given some of the grey areas in the regulations, we're waiting to see just how strictly the ICO is going to enforce items such as the channel/frequency combination for contact; frequency for contact is specified in the regulations, but the guidance doesn't indicate any expectations of how this should be implemented. How should you specify frequency of contact  for each channel in respect of each organisation's activities, which may vary; and if a fixed schedule changes, do you have to go out to regain consent? For every channel, or just the one affected?

In the strict interpretation of the regulations, the answer would appear to be yes. But no one we've seen is doing it. And a lot of the re-consent contacts are less than specific about channels according to our interpretation of the GDPR. Almost everyone is relying on the 'legitimate interest' basis and doing the bare minimum, which may or may not turn out to be valid.

Is the GDPR as written entirely practical and reasonable for all organisations of all sizes to follow? How will the ICO enforce GDPR with limited resources anyway? We're not done yet. RC

Image credit:  Youth-soccer-indiana By Tysto [Public domain], from Wikimedia Commons"