Under the existing European Data Protection Directive, consent is a legally acceptable reason to store and process personal data and information. This will persist being the case when the General Personal Data Regulation (GDPR) becomes enforceable on May 25 2018. GDPR will amend the meaning of consent to add to the definition and businesses and organisations will have to comply with this definition, and the obligations within it, in order for consent to be acceptable.
Obtaining Initial Consent
One critical aspect of managing consent is obtaining it initially. Any business that wants to comply with GDPR needs to ensure that:
- There is no pressure involved, and consent is provided willingly.
- Consent is given, and used for, a specific reason.
- Individuals completely comprehend what they are consenting to.
- A positive action is taken to show consent. Assumption by absence of action is not acceptable, nor is a prechecked tick box.
What is the Timeframe for Obtained Consent?
Another important facet of consent management, that can impact compliance with GDPR, is how long expressed consent lasts for. There is no single definition regarding this, but consent should only be used in relation to processing data for a specific reason. Once that reason no longer remain, consent is no longer valid. Businesses should also make it straightforward for people to opt out of consenting, if they would like to.
Businesses should keep a watchful eye on the consent that they have obtained, and consider closely what they use it for and whether it is still valid. Failure to do so could result in an massive penalties and possible sanction for breaching GDPR.