‘The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU)’
In the UK at the moment we rely on the Data Protection Act 1998 which came into force following the 1995 EU Data Protection Directive, the new GDPR will supersede the current directive and will come into force on 25th May 2018. The new GDPR is set to introduce tougher fines to businesses for noncompliance and breaches, giving individuals more say over what companies can do with their data. It also means that data protection rules are more or less identical throughout the EU.
To comply with the GDPR’s new consent requirements and ensure your existing consents meet the new, higher GDPR standard, your consent mechanisms should demonstrate the following:
- Unbundled: Consent requests must be separate from other terms and conditions.
- Active opt-in: Pre-ticked opt-in boxes are invalid—instead use un-ticked opt-in boxes or similar active opt-in methods, such as a binary choice given equal prominence.
- Granular: Give granular options to consent separately to different types of data processing wherever appropriate.
- Named: Name your organisation and any third parties who will be relying on the consent.
- Documented: Keep records to demonstrate what individuals have consented to, including what they were told, and when and how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to consent, meaning you need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: Consent will not be ‘freely given’ if there is an imbalance in the relationship between the individual and data controller.