GDPR Compliance – 10 Rules for Managing Data Consent

The General Data Protection Regulation came into force across the European Union in 2018. It represented a significant shift in how personal data is collected, processed and secured.

Following Brexit, the UK incorporated the GDPR into its own legislation as the UK GDPR. This incorporation ensures that British standards for data protection remain robust and aligned with those of the EU.

Under UK GDPR, individuals have an explicit and voluntary choice in the processing of their personal data.

In practice, this means customers must consent before you can record or use their personal information.

Consent is a cornerstone of GDPR compliance and must be managed carefully.

Here are clear and actionable rules you can follow to ensure your customers understand and lawfully consent to your use of their personal data.

Under UK GDPR, obtaining explicit consent from individuals before processing their personal data is almost always necessary.

‘Processing’ in a GDPR context includes any operation performed on personal data. This broad definition includes any time data is:

• Collected
• Recorded
• Organised
• Stored
• Retrieved
• Consulted
• Shared
• Altered
• Destroyed

Your organisation likely engages in at least some of these activities regularly. And whenever you do, consent is necessary.

‘Freely given’ consent means that an individual has a real choice and control over their personal data being collected, processed or stored.

This means you cannot:

• Coerce or force customers to give consent
• Offer your services/products as conditional on consent
• Assume consent is given if customers don’t respond

To ensure that your request for consent meets GDPR rules and is truly ‘freely given’, consider the following tips:

• Offer individuals choices about the types of data they consent to share and the processing activities their data will be subject to.
• Consent must be an active, affirmative action. Using pre-ticked boxes or any form of default consent is not considered ‘freely given’ under GDPR. Instead, use opt-in boxes for your customers to consciously select.
• Provide all relevant information in a straightforward manner, including what data is being collected, for what purpose and who it will be shared with.

Consent must be distinctly separate from your terms and conditions. This separation ensures that consent is not only freely given but also informed and specific.

In practical terms, requests for consent to process personal data cannot be buried within lengthy terms and conditions, privacy notices or any other documents that individuals must agree to before using a service.

Consent can’t be tied to accepting terms and conditions, either. If your service requires customers to accept terms and conditions, you must provide a separate and distinct mechanism for consent to data processing activities.

Potential customers have the right to refuse data processing without being denied access to your services.

This principle builds on the concept of freely given consent, as making consent to data processing a precondition for service is a form of coercion.

You must offer customers options to opt out of non-essential data processing activities without negatively impacting their experience or access to services.

When requesting consent under GDPR, you must provide detailed information about your organisation and how you intend to use the collected personal data.

This transparency is fundamental to ensuring consent is informed and freely given.

Here’s what your organisation must disclose when seeking consent:

Identity and Contact Details: Identify your organisation and any other parties processing the data. You must also provide contact information, including email, phone number and physical address. If you have a Data Protection Officer (DPO), include their contact details too. This ensures individuals know who is responsible for their data and how to reach out with questions or concerns.

Purpose, Sharing and Duration of Data Processing: Explain why your organisation is collecting personal data, including details on processing activities, any sharing with third parties and if data will be transferred outside the United Kingdom. Also, specify how long the data will be stored.

Rights and Withdrawal of Consent: Inform individuals of their rights regarding their data, such as the right to access, rectify, delete or transfer their data and the ability to object to processing. Also, clarify that consent can be withdrawn anytime (more on this later).

Complaints: Detail the right to complain to a supervisory authority and provide guidance on how to do this so customers understand their options for recourse.

Consent to data processing runs out. But there’s no universal rule for when it does.

The Information Commissioner’s Office (ICO), which enforces UK GDPR, states that consent ‘degrades over time’ but does not specify a hard deadline. Instead, you must consider the initial agreement and what your customers can realistically expect.

Likewise, if your data processing activities evolve, your customers must opt-in again. Any re-confirmations must still be freely given and follow the principles already discussed.

Customers can withdraw consent to data processing at any time in your relationship.

Consent can be withdrawn for a number of reasons, such as a change in circumstance, privacy concerns or a reassessment of your service’s value. Whatever the cause, your customer’s decisions are final and must be respected immediately.

To comply with this rule, you should implement straightforward mechanisms for customers to withdraw their consent. Your customers shouldn’t have to jump through hoops to exercise their rights. Any obstacles risk breaching GDPR rules and turning customers away from your business permanently.

Consent must be documented to prove it was obtained lawfully. Your records must show compliance with every rule around consent, including:

• Who consented
• When they consented
• What information you provided at the time of consent
• How they consented (was it verbal, online, over the phone, etc)
• For what purpose consent was given

You must also be able to demonstrate that consent was affirmative.

Under GDPR, consent records are subject to the same protections as personal data and must be stored securely.

Data breaches must be reported to the ICO. The regulatory body may trust you to manage the incident but will take action if the violation is severe.

Following a breach, you may be:

• Issued an official notice requesting further information
• Issued an enforcement notice outlining what you must do to ensure GDPR compliance
• Issued a penalty notice
• Inspected by the ICO
• Fined up to a maximum of 4% of your annual turnover or £17.5 million, whichever is higher

Training your team in GDPR compliance is essential. It can stop data leaks and prove your commitment to your customer’s personal data security.

Our GDPR Awareness Training helps organisations handle data correctly. Course users learn about GDPR legislation and its key principles. They also learn how to apply data protection best practice to their work and help ensure the integrity of your customer’s data.