How your organisation asks for, and records, an individual’s consent to acquire, store, handle and use their data is key. The whole point of the GDPR legislation is to ensure that the individual's personal data is protected - but there are allowable ways to use it - so long as this is done correctly.
Consent is not always required, of course, but where it is, it must be obtained correctly.
Any required consent must allow the individual to opt out completely and to allow them to choose, where appropriate, for what use their data is to be used. If requested in an appropriate manner, the individuals will appreciate the choice and the range of options (so long as they are simple and easily understood) – and this will enhance the organisation’s reputation. You should always be aware that the individual may have different views as to the sensitive nature of specific data – so tread carefully.
Specifically, consent should follow the following rules:
- When asking for consent, it should be separate from other terms and conditions to ensure it is clear what is being asked
- Consent should be obtained using positive opt-in approaches
- Consent should not be a pre-condition of a service (remember that where this is impossible, you should be looking at a different legal basis by which to take the data collection forwards).
- When asking for consent,
- be clear and
- break out the separate areas on which consent is requested:
- to allow the individual to better understand what they are being asked to agree to, and
- for the organisation to have clearer records of what has been agreed.
- Be clear which organisations will use this data – yours alone, other third parties etc
- Ensure you keep clear records of what was formally asked by your organisation and what, as a result, has been consented to.