In the previous article produced by our colleagues at Lawgistics looking at the steps to take when preparing for GDPR, the topic dealt with related to the data audit. If as part of that audit a decision was taken that the business would rely on consent as the legal basis for processing personal data, the business must be certain that it meets the high standards contained in the GDPR.
If the business has collected names and email addresses over the years by having a checkbox on sales invoices requiring customers to tick if they do not want to be included in an emailing list, it is almost certain that this will be a breach of the GDPR. Why? Because the criteria for consent has changed.
This type of checkbox asks people to opt in rather than to opt out. The difference is subtle but the Information Commissioners Office (ICO) will want to see that people were very clear on how their information would be used and that the business has given them a well-defined and genuine choice.
The consent must not be hidden within the businesses terms and conditions. It should be separate and clear.
It is not permissible to have a tick already in a box on an online field which requires a person to untick to remove consent. There must be what the ICO calls a positive opt-in.
A company cannot demand or assume consent. For example, it is not possible to assume that the person consented to receiving details of a special offer simply because they previously made a purchase from the business and they submitted their details for the invoice. Keeping the personal data on the invoice is allowable as it is required for the contract and for fulfilment of the legal obligation to keep proper tax records etc, but this does not mean that the same data can be used for marketing purposes. No clear consent to receiving marketing = no marketing.
The ICO says consent must be specific and granular. This means, for example, a business cannot rely on consent to all marketing, just because the customer has consented their details being sent to one specific third party. It must be made clear to the customer, exactly what will happen to their data. There is no one size fits all consent.
If the customer’s details are to be sent to a third party, This third party must be named. A customer must be aware of where their information is to be sent.
If asked, the business will need to be able to prove to the ICO that consent has been given and thus it is necessary for the business to ensure that it’s record keeping is in good order. It will need records of who consented, what exactly they consented to, the date of consent and how the customer consented.
In addition to all the above, the customer must be advised that they can withdraw consent at any time and informed on how this can be done.
In summary, if a business relies on consent which will most usually be for marketing purposes, it must ensure records are sufficient to prove to the ICO that the customer clearly understood the nature of the consent. By following these steps a business can avoid a fine.