The General Data Protection Regulation (GDPR) requires consent to be obtained before the data of EU citizens is collected or processed, but what are the requirements for GDPR consent for existing customers? Do they need to be contacted to provide their consent again?
From May 25, 2018, GDPR becomes effective. Prior to that date, data controllers and data processors must obtain consent from EU citizens before their personal data is collected and processed. Under previous data protection regulations, consent was also required before data could be collected and used.
It is therefore possible that previous arrangements for obtaining consent from EU citizens matches the requirements of GDPR. However, if that is not the case, to be compliant with GDPR consent for existing customers must be obtained again.
Obtaining GDPR Consent for Existing Customers
GDPR introduces a number of changes to how consent can be obtained. Under GDPR, consent must be given freely, and it must be specific and informed. It must be clearly explained, in a manner that can be easily understood, what data is being collected and how it will be used.
The requirements for obtaining consent under GDPR are detailed below:
Implied Consent and Opt-Outs
Implied consent is no longer sufficient, and neither are automatic opt-ins. Consent must be obtained by a clear affirmative action, such as checking an opt-in box. Even a pre-checked opt-in box would violate GDPR regulations.
Separate Consent Must be Obtained
Many organizations obtained consent to collect and use customers’ data as part of their general terms and conditions. That is no longer possible. Consent must be obtained separately and use of a particular service cannot be dependent on consent, unless it is absolutely necessary for the provision of that service.
Consent for Different Uses of Data
It must be possible for EU citizens to provide consent for separate uses of their data. If personal data is used for a variety of purposes, separate consent must be obtained for each use.
EU Citizens Must be Informed Who Uses Their Data
When obtaining consent to collect or process data, each organization that accesses that data must be clearly named. That includes the organization collecting the data and any third parties that will be supplied with personal data.
Documentation of Consent
It is a requirement of GDPR to document the consent process and to maintain records of all individuals who have provided consent for their data to be collected and processed.
Withdrawal of Consent Must be Easy
Organizations cannot make it difficult for an individual to withdraw consent. Withdrawal of consent should be a simple process, and all collected data must be erased when consent is withdrawn.
Even if new consent processes are implemented ahead of the May 25, 2018 deadline, the failure to obtain GDPR consent for existing customers could attract a significant fine.