Obtaining Valid GDPR Consent for Information Use
Under the new GDPR regulations your company / organisation must be able to prove clear and affirmative consent to process personal data.
This means that your company / organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your company / organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary. The information that you supply has to be human understandable i.e. descriptions of products / services / treatments supplied need to clear, and not based around internal codes / product codes.
Opt-in Rather Than Opt Out
Under GDPR, people must be able to opt-in rather than opt out i.e. the options for receiving information (e.g. on web page contact forms) from companies must not be already ticked. The accompanying wording must also clearly state that ticking a box means opting in.
Other Implications Regarding GDPR Consent
Companies / organisations will need to simplify their Terms and Conditions so that they are clear and informative, rather than being filled with confusing, baffling references and legalese. After 25th May, T&Cs and consent requests for the purposes of data processing will need to be intelligible, in an easily accessible form, and written using clear and plain language. It will also need to be easy for a person to withdraw their consent.
Rather than requesting (on a website contact page) that people sign up for something (e.g. a newsletter) and asking for an email address and / or telephone number, the wording could be changed to ask people to sign up to be contacted, not specifying exactly how. It may also aid compliance for an auto-responding email to be sent, asking a person to confirm that they want to opt in. Information such as the date, time and IP address of the individual sign-ups should be recorded, because the data given (name, email and telephone number) identifies the person.
You / your company will not be able to contact anyone after 25th May 2018 that you do not have consent from. This, in theory, could also stop unsolicited emails and phone calls to you, if those companies / organisations choose to comply. It will also mean that you / your company can no longer use lists that you’ve bought to send emails or make calls. This could have implications for affiliate marketing i.e. if affiliates are contacting people on your behalf, you will need to be certain that they are GDPR compliant, and are doing so with consent.