Following on from our article on “The Murky World of Consent and opt in“, we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can prove the lifecycle of this data when it comes to a Subject Access Request.
Asking for Consent
Let’s start with one of the ending points of our previous article, “As a rule of thumb; only use explicit consent as a last resort, as this can be withdrawn at any time”. The first thing to consider is whether consent is the best and most appropriate lawful form of processing?
When it comes to opt-in, have you stated the opt-in for your customers and data subjects in clear, plain language and not buried it deep in a set of terms and conditions? Also not using any pre-ticked boxes as they must positively opt-in themselves and have granular options that clearly define the specific processing types; email, telephone, post as just a few examples of such definitions.
When asking for consent have you stated the basic essentials? Who your organisation is and how you are going to be using the data.
How about informing the individuals that they can withdraw their consent at any time? Explain they can even refuse to consent without detriment to them, or that not providing consent is not a precondition of providing a service.
Most importantly if the service you are offering is online and directed at children, then only to seek consent if you have age verification in place and parental consent measures to back up this consent.
Record and Manage Consent
Let’s move on to how you record and manage consent. How do you record how you obtained consent, when you obtained it and exactly how this was stated to the individual at that time? This is a requisite of a privacy notice.
Do you regularly review consent, checking if the purposes for processing are accurate and if they have changed, that you have processes in place to refresh the consent at an appropriate period (especially parental consent).
Have you considered the use of a preference management tool, like a gateway or portal, to make it easier for individuals to manage or withdraw their consent and have you made public these measures of how to use these tools?
Letting your customers know that you will not penalise them for withdrawing their consent and that you process these consent withdrawals as soon as feasibly possible is good practice, as well as a good customer service ethic.
Now you have your consent in order, do you know what you are actually capturing? This also extends to what you have already captured.
A data audit is a good practical step to help in understanding the information you hold and knowing your processes. How you capture this data will aid with how and what you are using it for. Information also requires review, to consider how good the quality of the data is, as often you are reviewing this information you hold to assess who has access to it, who you share it with and then decide how you implement control over the data you hold.
The final piece should always be about retention and indeed the right of erasure, but these are covered in our other articles and throughout the be.GDPR and be.Privacy products.
So, having followed this advice, when you receive your first Subject Access Request under the General Data Protection Regulation, you can provide everything you need quickly and certainly within the allotted one month response period, then you can truly state that you can be.Infoready.
At be.Infoready our subscription services are designed to keep you up-to-date with current legislative requirements on data protection. Our products are created and defined specifically to cover these two areas:
UK specific data protection training, providing a fully legislative, complaint, verified training tool that takes each user through interactive web-based learning and assessment. Once the final Data Protection Bill has passed into law, you will receive these UK specific updates via your be.Privacy subscription service.
EU GDPR data protection training. Are you holding data on EU citizens? The you need to be.Infoready for the new EU General Data Protection Regulation laws.
Find out more >
For more information and ongoing developments about Data Protection, please follow our blogs and posts on this subject at our website, Facebook page, Twitter and LinkedIn.
Sign up here