How to design GDPR compliant consent

As we already discussed in the previous posts of this series consent is one of the five lawful processing means defined in the GDPR, but in the commercial world consent is the most common and most significant approach. In this post we discuss about consent management in detail and also look at design aspects.

The main purpose of consent is to freely offer individuals genuine choice and put in control on his/her personal data processing. Also for organizations process personal data consent provide lawful basis for processing. A well designed consent helps for business to build customer trust and also enhances customer awareness and transparency on data processing, further consent greatly improve the reputation of the business.

The GDPR sets very high standard on consent management, the GDPR defines considerable financial penalties for violations of consent related regulations. Any organization process personal details of an individuals must pay special attention on consent management and future processing on already collected personal data.

The purpose of consent

A processing organization can use consent to legitimize

1. Use of special category data
2. Restricted processing
3. Automated decision making
4. Overseas data transfers

It’s very likely to use consent for most marketing activities or messages, website Cookies, online tracking methods, to install apps/ software on individuals’s devices. It’s required to provide consent in a such a way that consumers can easily understand that they have consent, and what they have consent to, without any important details hidden with small print.

Also processing organizations cannot email or text to ask for consumer consent because such message itself constitutes a direct marketing messages, there are some real world example cases already exists.

However consent is not an absolute right, there can be legitimate basis to ignore the individual’s consent of data processing. For example you can’t refuse to a bank to share your credit details with public financial authorities, you can’t refuse your employer liability to share your salary details with public tax agencies.

The GDPR definition of consent is remain same as the current DPD definition but GDPR introduce new clause as consent must be unambiguous and involve a clear affirmative action.

1995 DPA Definition

“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

The GDPR definition

“ any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Also it should be noted that when the data processing is based on consent, individuals are entitled for very strong set of rights including the right to erase and the right to data portability.

Here is the most important points extracted from above definition.

Freely given — This is a very significant point that helps to decide whether consent is the right choice of a given data processing or not, to use consent processing organization should be in position to offer real freedom for individuals to make a choice on a data processing. For an example most of the cases public authorities can’t give consent freely, another example is employer can’t always provide real choice for employees, in such cases consent should not be used instead organization can one of the five other lawful processing means.

specific — It’s not possible to ask for a generic consent from individuals, consent should be specific on it’s intended purpose, underlying processing approach, what kind of data is processing and how long data will be kept with the business etc.

Informed — An individual should be informed that he/she is consenting to process his/her personal data, additionally the individual should be aware the rights on given consent such as right to withdraw the given consent. Further processing organizations should make sure that language, images, graphics etc. used in the consent are well understood by the individuals, it’s not legitimate to get a consent by misleading individuals or giving hidden information.

Explicit consent

There is a special category of consent called “Explicit consent” which is required to process special category data and automated decision making. The key difference is, ‘explicit’ consent must be affirmed in a clear oral or written statement.

Design principles for consent management

• Active opt-in — Consent requires a positive opt-in and avoid pre-ticked boxes or any other method of consent by default. Whenever binary choice is given both options should have same prominence.

• Informed — Consent should be clear, concise and specific about the content. Consent should not use ambiguous or generic statements.

• Unbundled — Consent should be presented separately in a distinguishable manner from other content such as general terms and conditions, privacy notices etc.
• Named — Consent should provide clear information about the processing organization and information about any 3rd party involved in data processing.
• Easy to Withdraw — Consent should explicitly mention about the consumer right to withdraw the consent at any time with clear withdrawal procedure. This also assumed processing organization has established facilities to withdraw consents.
• Granular — Organizations should provide granular consents so that consumers can consent for different types of processing separately.

• Continuous Reviewed — Organizations should establish a process to continuously review consent with business/system changes to make sure they are in compliance with GDPR.
• Documented — Processing organization should Keep evidence of consent such as who, when, how, and what you told.
• No imbalanced in relationships — when there is an imbalance between an individual and the processing organization (cases such as public authorities and employers ) it is not possible to provide a consent freely, in such cases some other legitimate mean should be used instead of consent.
• Time Limits — There is no explicit rules about how long you can keep personal data but it’s recommended to mention how long that you will store and process personal data with the consent.

You can refer some of the nice consent prototype created by projectsbyif from here.

Policy on existing consents and data

To prepare for GDPR compliance it’s not compulsory to discard all of your existing consents and get fresh consents from users but it’s absolutely necessary to conduct a review on current consent management process, if the process is in compliance with GDPR then you can consider existing consents are valid and continue on data processing. In case if your consent management process is in compliance with current DPA recommendations you could easily prepare for the GDPR compliance.

In case if you have any doubt on existing consents in related to GDPR compliance, it always a good idea to discard the data and get fresh consent in a GDPR in compliance manner.

Record tracking on consents

On order to demonstrate that you have consent from an individual, processing organizations should maintain following records.

1. Who consented — the name of the individual, or other identifier
2. When they consented — a copy of a dated document, or online records that include a timestamp.
3. What they were told at the time — a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given. If consent was given orally, your records should include a copy of the script used at that time.
4. How they consented — for written consent, a copy of the relevant document or data capture form. If consent was given online, your records should include the data submitted as well as a timestamp to link it to the relevant version of the data capture form. If consent was given orally, you should keep a note of this made at the time of the conversation -it doesn’t need to be a full record of the conversation.
5. Whether they have withdrawn consent — and if so, when.

Children’s consents

If the data processing is targeting children and depend on children’s consent, then the processing organization need to consider following two requirements.

1. Implements age-verification mechanism.
2. Verify parental responsibility

Additionally you should ensure the consent can be well understood by children.

Alternatives to consent

When consent is the not the appropriate basis to legitimize the processing one of the following 5 basis can be used.

1. A contract with the individual
2. Compliance with a legal obligations.
3. Vital interests.
4. A public task.
5. Legitimate interests.

Checklist for Consent

Consent checklist published by the UK Information Commissioner’s Office can be used to ensure to check whether your consent is in compliance with GDPR or not.

Asking for consent

1. We have checked that consent is the most appropriate lawful basis for processing ?
2. We have made the request for consent prominent and separate from our terms and conditions ?
3. We ask people to positively opt in ?
4. We don’t use pre-ticked boxes, or any other type of consent by default ?
5. We use clear, plain language that is easy to understand ?
6. We specify why we want the data and what we’re going to do with it ?
7. We give granular options to consent to independent processing operations ?
8. We have named our organization and any third parties ?
9. We tell individuals they can withdraw their consent ?
10. We ensure that the individual can refuse to consent without detriment ?
11. We don’t make consent a precondition of a service ?
12. If we offer online services directly to children, we only seek consent if we have age- verification and parental-consent measures in place ?

Recording consent

1. We keep a record of when and how we got consent from the individual ?
2. We keep a record of exactly what they were told at the time ?

Managing consent

1. We regularly review consents to check that the relationship, the processing and the purposes have not changed ?
2. We have processes in place to refresh consent at appropriate intervals, including any parental consents ?
3. We consider using privacy dashboards or other preference management tools as a matter of good practice ?
4. We make it easy for individuals to withdraw their consent at any time, and publizise how to do so ?
5. We act on withdrawals of consent as soon as we can ?
6. We don’t penalisze individuals who wish to withdraw consent

References

• GDPR consent guidance — https://ico.org.uk/about-the-ico/consultations/gdpr-consent-guidance/
• ICO warns UK firms to respect customers’ data wishes as it fines Flybe and Honda — https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/03/ico-warns-uk-firms-to-respect-customers-data-wishes-as-it-fines-flybe-and-honda/