Andall Legal will be authorised and regulated by the Solicitors Regulation Authority (SRA No. 597704) until 31 July 2019 after which time this firm will be considered as closed

Andall Legal Limited is a Company registered in England Co. no. 8329295

VAT Reg. No. 231240952

 

Legal Statements      EU Online Dispute Resolution 

© 2019 Andall Legal Ltd

GDPR - The right way to get that consent!

August 15, 2017

 

In my first blog post on The new General Data Protection Regulations, I explained that anyone processing personal data of an EU citizen needs the specific consent from the person concerned.

 

In this post - we will focus on the issue of how that consent is obtained.  This post is also an example of how a lovely nice friendly person can suddenly morph into a detail oriented legal eagle.  Legal stuff and plenty of practical guidance too.

 

The Information Commissioners Office (ICO)- our regulator in England - is responsible for guidance and enforcement of GDPR.  They have made it clear that they have a high expectation when it comes to the provision of consent and they are looking to see that people are allowed a large degree of control in respect of the personal data.  Specifically, the ICO states that the consent request must be separate from any other terms and conditions so no more burying it at paragraph 35 of the Ts and Cs that I draft!

 

The definition goes further than under the current Data Protection legislation.  The new definition is worth a read since we will need to imply it into our individual business requirements:

 

"Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"

 

Importantly Consent must be specific and informed.  In practice this means the following:

 

The name of your business and the names of any third parties relying on that consent must be clear together with why you want the data.  It goes without saying that you must be very clear as to what you are going to do with this data!  

This is how the ICO recommends you can obtain consent in compliance with GDPR.

 

Keep consent requests separate

Your consent request must be separate from other terms and conditions (no more burying it at paragraph 35 Nicolina!).  Consent must not be a pre-condition of signing up to a service unless absolutely necessary.

 

Active opt in required

- Unticked boxes requiring a tick - great!  

- Selecting from a Yes / No option.

- Responding to an emailed consent request.

- Answering Yes / No to a clear oral request.

- Dropping a business card into a box.

- You should note that Opting Out will be banned

 

- Give options to consent to different things... ICO is keen on granular consent eg. your ability to consent to postal marketing, text, email etc.

 

- You must say who will be relying on the consent, obviously, this includes naming your organisation and any other organisation that will be relying on the consent.

 

Documentary evidence

Make sure that clear records are kept of who has consented to what and when.

 

Easy to withdraw

People need to be told they can withdraw their consent and it must be as easy to withdraw consent as to give it.

 

Additional considerations need to be given if there is an imbalance in your relationship or if dealing with children.

 

Importantly Consent must be specific and informed.  In practice this means the following:

 

The name of your business and the names of any third parties relying on that consent must be clear together with why you want the data.  It goes without saying that you must be very clear as to what you are going to do with this data!  

On a personal level, I look forward to the day when someone asks me for my consent to sell my personal data onto numerous random databases for further sale so I can be bombarded with random useless email 🙄. This new legislation may take some getting used to on a business level, but our inboxes will be much happier places in the future! 

 

Contact me if you need some help with putting this into practice in your business.  Email me at nicolina@andalllegal.com

 

That's it for this blog post. Next time, I'll be focusing on the business records you need to show to prove you are complying with GDPR. 

 

 

 

Share on Facebook
Share on Twitter
Please reload

Featured Posts

GDPR: What to do with a business card...

March 9, 2018

1/5
Please reload

Recent Posts

September 19, 2017

Please reload

Archive