In this article
In this article we take a detailed look at the GDPR consent guidance that came into force in the European Economic Area in May 2018. Although it only affected companies in the European Union (EU) areas directly, it has far wider repercussions and can also affect companies trading with EU based businesses.
The new regulations are designed to deliver power and autonomy back into the hands of Data Subjects (individuals sharing data on the internet) and ensure their rights are protected with GDPR verbal consent. To do this there is a complex process of GDPR consent requirements.
What is the GDPR?
GDPR stands for General Data Protection Regulation. It was introduced in May 2018 as a tough new internet privacy regulation. At present the GDPR is the toughest internet privacy regulation in the world. Although it was drafted in the EU with the intention of primarily serving this economic community, the regulation influences and restricts organisations all over the world.
Anyone who transfers, targets, or collects data relating to people in the EU zone may be subject to this strict privacy law. If the law is violated, individuals and organisations will be subject to substantial fines. The new GDPR holds individuals and organisations to very high privacy and security standards. Fines and penalties for violating its laws can run into the tens of thousands.
In recent times the internet has opened up and data has become a new trading commodity. More and more people are putting personal data in cloud services and trading it for services. The EU noticed that playing fast and loose with data in this way presented people and companies with many privacy issues. So, at a time when there is more data freedom than ever, the EU implemented a very tough regulation to prevent abuse. This is known as the GDPR.
How does it work?
GDPR law covers a range of data protection areas including lawfulness and fairness, the purpose of data collection, storage, accountability, and data minimisation. GDPR law is used as a preventative measure, and strategy, to eliminate the misuse of people’s data.
This means that individuals and organisations need to be in line with the GDPR rules prior to any breach of compliance. In short, you need to be able to show you are compliant with the GDPR to be compliant.
In practice, compliance with GDPR law means you have to adapt your security protocol and practices to ensure data is secure in your business. This might mean introducing additional security measures such as two-factor authentication, or end-to-end encryption.
Why is it Significant?
Data has become a new and valuable commodity in the world. Major companies and corporations have identified the value of data offer services in exchange for more of it. While this is fine in principle, without responsible regulation it could lead to exploitation.
The GDPR is a new regulation that seeks to protect individuals from exploitation or other unknown outcomes. The GDPR is the first of its kind in the world. Although it only protects EU based data citizens, it has a bearing on non-EU entities. It’s highly likely that similar regulations will be introduced elsewhere in the coming years.
How Does it Impact Non-EU Members?
In principle GDPR law is only relevant to EU data citizens and companies. However, anyone interacting with companies based in the EU, or companies based outside the EU but trading within it, are still affected by the law.
Article 3 states:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) The monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Why is Getting Consent a Challenge?
GDPR consent is a clear indication from the Data Subject that the use of their data is permissible. This is why you encounter so many consent-giving pop-ups on the internet, especially since 2018.
Companies need your consent to process your data for analytics and promotional reasons. In the majority of cases there is no sinister motive for acquiring your data, but still, they have to request it and it has to be given. This returns the power of personal data back into the hands of individuals.
But acquiring consent can be a challenge for companies. GDPR law requires Data Subjects to issue a clear and unambiguous affirmation that it is OK for companies to use their data. The consent covers the entire lifecycle, from data collection to enabling changes and withdrawal. At every stage the Data Subject has the authority to adapt or withdraw consent and it’s the responsibility of the relevant companies to facilitate these actions.
What does consent mean for the GDPR?
When it comes to the GDPR data protection laws, consent is a key component. The vision for the GDPR is to deliver the autonomy of data control back into the hands of individuals, or Data Subjects. This is done using a system of consent. Companies are not allowed to collect, process or send data to Data Subjects without a clear affirmative action.
This affirmative action is called ‘consent’ under the GDPR. The consent must be given through a written statement or by electronic means. In practice this often means a tick box that pops up before entering a website domain. Since websites automatically collect data from users for analytics, consent must be agreed at the outset.
In the past UK data protection law also required individuals to signify their compliance with data sharing principles. Like GDPR processes, this involved a tick box system allowing users to opt out of data gathering.
However, GDPR law is much tougher and it goes much further. UK data protection cover was often vague and covered a broad base of issues, but the GDPR is more detailed, meaning companies must understand and implement the correct process or risk noncompliance.
As well as opting out of data gathering, Data Subjects also have the power to refuse marketing efforts by businesses and brands. This means that businesses can only send marketing content to customers who give clear and affirmative consent in the form of a written agreement or electronic means.
The importance of consent
In recent years data has become a new commodity; it holds value and can be traded for profit. But that data is personal, it belongs to individuals who – until the introduction of the GDPR – had little or no say as to how their data was collected, stored, or transferred. With GDPR consent, Data Subjects now have a means of controlling and monitoring their data and how it is used.
According to GDPR law ‘consent’ is the “one lawful basis for processing data”. When a Data Subject indicates through writing that a company can freely use their data for a purpose, that company is entitled to do so. This was not the case before, when data was still used freely but without any accountability. GDPR consent also sets up the first legal framework for processing and controlling personal data.
Apart from the legal and ethical grounds from GDPR consent there are other factors that make the regulation important. The new levels of control customers have over their personal data empowers them with an autonomy that was absent before. This autonomy facilitates greater trust and better levels of engagement with companies. There is more autonomy and more accountability. Moreover, the consent process creates lean and efficient marketing databases.
How is consent gained?
As outlined above, consent must be freely given; it can also be given as an affirmative action – in other words, a clear and unambiguous action of consent. On the face of it this would seem to be simple enough – if you can offer a pop-up to consumers before they use a website it should offer the compliance required, if they decide to consent. But it’s not always as straightforward as this, especially for marketers.
Marketing teams attempting to gain customer support have historically added free gifts and benefits to customers as a prerequisite for consent. This might be a download, for example, or a free ebook. In marketing circles this is effective practice, but it is disallowed under the GDPR. It is still fine to offer customers free gifts, however, those items and processes cannot be used as evidence of consent.
Consent must always be clear and unambiguous. It must be affirmative. When GDPR law first came in on 25th May 2018 most businesses had to completely revise their consent policies as the opt-in databases did not comply with the GDPR. Those companies who thought of their customers, and their data, as mere numbers had to switch their mentality. The GDPR turns these numbers back into people.
Types of GDPR consent
GDPR consent is unique in that it requires businesses to gain consent that is ‘freely given’, meaning that companies cannot gain consent from Data Subjects as a prerequisite for using a service. If consent is not given to collect data from the subject, they are still permitted to use the service. If data permission is given it must be given through an unambiguous and affirmative action.
The main idea of the GDPR is to return data power back into the hands of the Data Subject. This means there must be genuine choice and control on behalf of the Data Subject about how their information is used.
If a data user does not feel as if they have this control then their consent is not freely given and is invalid under the GDPR. If a data user can refuse consent and still use the service and if they can easily withdraw consent at any time, the GDPR consent terms are met.
Specific and Informed Consent
GDPR consent must also be specific and informed.
This means that it must adhere to the list below:
- The controller’s identity: A Data Subject should know the identity of the controller as well as and third party controllers. Controllers are companies and third parties seeking consent.
- The purposes of the processing: Consent is granular, in other words, different consent must be given for different data processes. There is no such thing as blanket consent for Data Subjects.
- The processing activities: Again, all processing activities must be consented to individually, unless the activities are obviously interdependent.
- The right to withdraw consent at any time: The right to withdraw and the ease of doing so is central to GDPR consent.
What determines valid consent?
Naturally, obtaining valid consent from Data Subjects is crucial to staying on the right side of GDPR law and avoiding heavy fines; 9 billion dollars has already been spent on GDPR compliance.
It is always necessary to facilitate ethical standards for data processing. Although the GDPR can be intricate at times, it’s very important that Controllers understand what constitutes valid consent from Data Subjects.
As mentioned, consent must be specific and informed. To obtain this Valid Consent, Controllers must offer Data Subjects key information.
- The name of the organisation and the names of any other controllers who will rely on the consent.
- Why the data is needed (the purposes of the processing).
- What is to be done with the data (the processing activities).
- Data Subjects understand that consent can be withdrawn at any time.
Under GDPR law it is not enough for a Controller to say they have acquired consent from the Data Subject, they must also be able to prove this. So the consent process also stretches to record keeping.
To prove they have acquired the correct consent, Controllers must show:
- Who consented: This is the name of the individual, or other identifier (eg, online user name, session ID).
- When they consented: A copy of a dated document, or online records that include a timestamp; or, for oral consent, a note of the time and date when consent was made.
- How they consented: For written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted and a timestamp.
Finally, a Controller must provide a Consent Statement that outlines the full terms of the consent agreement. This contains the identifying information and the consent given for specific purposes and uses. It provides information about the granular use of data from a consenting individual as a clear statement.
This is not a terms and conditions article, rather it is a contractual agreement between both parties showing the legal and proportional use for data for specific purposes. This statement is paramount for safe and legal use of data in GDPR relevant areas.
In this article we have looked at what the GDPR is and what it does; we have also looked at what it means for companies (Controllers) and individuals (Data Subjects) particularly around the issue of Consent. There’s no question that the introduction of the GDPR by the European Economic Area has had a significant impact on the data landscape and will influence policy and practice in other parts of the world as well.
One of the key areas of the GDPR is Consent. In theory the rules exist to deliver the power of handling personal data back into the hands of the Data Subjects. To do this, consent to use the data must be given by the Data Subject. However, consent is not a straightforward matter. The consent given must be active written consent – it must be clear and unambiguous.
Finally, GDPR consent requirements must also be granular. This means that consent given by a Data Subject, must be given for specific data use. The GDPR consent guidance also stipulates that the Data Controller must show the data acquired is used for specific purposes and not just collected and stored. It’s very important that companies remain compliant with the GDPR. They must prove they have the legal GDPR verbal consent from the Data Subjects or they will incur heavy fines.