One of the big changes with GDPR (see what is GDPR and does it apply to me?) is that your company needs to demonstrate it has right to process an individual’s details. One way to do this is through consent, proved through customer opt-in.
How you collect this data and prove opt-in has been the topic of much discussion, but there are some clear standards that have to be met. More information can be found in the draft GDPR consent guidance document, but we have outlined the most important changes below.
Reasons for data collection have to be clear
The Information Commissioner’s Office (ICO), which will be responsible for handling GDPR in the UK, is very clear about how consent has to be given: “Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes.”
This means that all sign-up pages need to be written in clear English, stating why you are collecting the data, what it will be used for, and naming any third parties that will have access to the data. You are not allowed to use legalese, and the consent request has to be separate from any other terms and conditions.
Consent has to be active
As the ICO states, “There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.”
That means that all options have to be signed up to manually. You can’t pre-select any consent options.
Unbundled consent is required
Consent for data collection has to be separate from other terms and conditions, and consent is not allowed to be a precondition of signing up for service, unless necessary.
This generally means that consumers can sign up for your services after agreeing to your terms and conditions, but they can also refuse consent to have their personal data processed.
Granular options are required
If you intend to use the data you collect in different ways, each one has to be given its own option, so that individuals can choose exactly which parts of your service they agree to.
For example, direct marketing and third-party marketing should be different options.
Consent has to be easy to withdraw
One of the key rights under GDPR is the right to be forgotten, giving individuals the right to instruct any company to stop processing their data.
At the point of sign-up, this should be clearly stated, and you should ideally link to instructions showing how to withdraw consent.
You don’t need to refresh existing consent
The ICO has said that companies do not need to refresh all existing consents collected under the Data Protection Act (DPA). However, if you are relying on consent to process data, it must meet the GDPR standard, as described above.
If the existing consent does not, then you must change your consent mechanism and seek fresh, GDPR-compliant consent from your customers.
Do you need double opt-in?
One of the key phrases used by the ICO about getting consent is that “consent has to be verifiable”. While not strictly required by GDPR or the ICO, one way to prove that an individual signed up for a service is to use double opt-in.
With double opt-in, after a customer has filled in the consent form online (written to follow the guidelines above), they are sent an email asking them to confirm the sign up via a verification link. Clicking this link is confirmation that the sign-up was valid and helps demonstrate your GDPR compliance.
Double opt-in is not mandatory, although it is likely the best option to meet all of the requirements of GDPR. It requires implementing a sign-up system that can handle double opt-in, so you’ll need to talk to your service provider or IT consultant to see how this can be implemented.