GDPR Consent Data Protection Practitioners #DPPC2018 Conference 2018 - PowerPoint PPT Presentation

GDPR Consent Data Protection Practitioners’ #DPPC2018 Conference 2018

What’s new? When is consent appropriate? What is valid consent? How do we get consent?

Granular and separate

Granular and separate What does Separate consent for 'granular’ separate things mean? Separate from your terms and conditions Specific to your purposes and methods

Unambiguous and clear affirmative action

Unambiguous affirmative action It must be A clear obvious that affirmative they intended action means a to consent – clear action to there can be opt in no doubt

No pre-ticked opt-in boxes

No pre-ticked opt-in boxes Don’t use …or rely on any pre-ticked other form of opt-in silence, boxes… inactivity, or consent as the default

(?) Identity of the controller

Identity of the controller You must …and name any name your third party organisation …categories of controller relying third parties is on the consent… not specific enough (?)

Right to withdraw consent

Right to withdraw consent Individuals You must tell have the right them this when to withdraw you get consent consent at any time

Right to withdraw consent Individuals It must be as have the right easy to withdraw to withdraw consent as to consent at give it any time

Right to withdraw consent Individuals You must stop have the right processing as to withdraw soon as possible consent at any time

Clear records of consent

Clear records of consent You will need When they to show: consented… What they were Who told… consented… How they consented

What’s new? When is consent appropriate? What is valid consent? How do we get consent?

When should you use consent? There’s no You want to Or you are other give people required to appropriate choice and have consent lawful basis control

• When not to use consent? When not to use consent

When not to use consent If you would If you are in a do it anyway – position of power – asking for they may feel they have no choice consent is misleading If consent is a and inherently condition of service unfair but not necessary for the service

Remember there are alternatives to consent

Contract with the individual Compliance with a legal obligation Protecting vital interests ‘Public task’ - official functions or public interest tasks laid down by law Legitimate interests

What’s new? When is consent appropriate? What is valid consent? How do we get consent?

The definition of consent “Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action , signifies agreement to the processing of personal data relating to him or her”

Consent must be: Unambiguous Specific and Freely given by a clear informed affirmative action (targeted to your (genuine choice purpose & easy to (a clear signal that & control) understand) they agree)

Explicit consent

Explicit consent Explicit It must be affirmed consent is not in a clearly worded very different statement (either from regular written or oral)… consent… however…

Explicit consent Explicit It must specifically consent is not refer to the element very different of processing that from regular requires explicit consent… consent… however…

Explicit consent Explicit A request for consent is not explicit consent very different should be separate from regular from other consent consent… requests however…

Consent timescales

Consent timescales There is no How long consent specific lasts will depend on timescale for the context… expiry of consent in the For example… GDPR

Consent timescales There is no How long consent specific lasts will depend on timescale for the context… expiry of consent in the The scope of the GDPR consent…

Consent timescales There is no How long consent specific lasts will depend on timescale for the context… expiry of consent in the The individual’s GDPR expectations…

Consent timescales There is no How long consent specific lasts will depend on timescale for the context… expiry of consent in the If the processing GDPR has evolved beyond the original consent

Consent timescales There is no And don’t forget specific consent can be timescale for withdrawn at any expiry of time – in which consent in the case you must stop GDPR the processing

When is consent not consent?

For example, it’s not consent: If it’s not obvious that the individual has consented; If you can’t actually prove that you’ve got consent; If you weren’t named as seeking consent from the individual; If you used pre-ticked opt-in boxes or other methods where consent is the default; or If you’re not sure – as that means it’s not unambiguous!

What’s new? When is consent appropriate? What is valid consent? How do we get consent?

Your consent request must be: Prominent – make it obvious Separate and granular – separate from T&Cs and separate consent for separate things Concise – don’t be vague or long winded and rambling Easy to understand – use plain language and don’t be confusing

As a minimum you must: Name your organisation Name any third parties who will be relying on the consent Explain your purposes and activities (what you’ll be doing and why) Tell people they can withdraw consent at any time

Methods of obtaining consent

Methods of obtaining consent You can use a The individual range of signs a consent possible form… methods… For example…

Methods of obtaining consent You can use a The individual ticks range of an opt-in box, possible either online or methods… offline… For example…

Methods of obtaining consent You can use a The individual says range of ‘yes’ to a clear oral possible request for consent methods… For example…

Evidence of consent

Evidence of consent You need The individual’s evidence of: name or other Who identifier (eg username, session ID)

Evidence of consent You need eg a dated document, evidence of: electronic timestamp, or a note of the date Who and time of the When conversation

Evidence of consent You need eg a master copy of evidence of: the document with the consent request, Who or script that was When used at the time What

Evidence of consent You need eg a copy of the data evidence of: capture form, the data submitted online Who (with timestamp), or When a note of oral consent What made at the time How

Reviewing and refreshing

Reviewing and refreshing Keep consent under regular There is no such review, and thing as ‘evolving refresh if your consent’ purposes evolve beyond those because consent originally must be specific specified

Reviewing and refreshing Keep consent under regular Consider whether to review, and automatically refresh refresh if your at appropriate purposes evolve intervals beyond those originally specified

Reviewing and refreshing Keep consent under regular How often you need review, and to refresh consent refresh if your will depend on the purposes evolve particular context beyond those and expectations originally specified

What about existing DPA consents?

No requirement to automatically refresh all existing DPA consents But you need to make sure that your existing consents meet the GDPR standard If your existing consents don’t meet the GDPR standard you need to: seek fresh GDPR consent; identify a different lawful basis; or stop the processing.

More information is available… Pick up a Check out our Visit our website leaflet from lawful basis www.ico.org.uk the hub tool

This slideshow will restart shortly Subscribe to our e-newsletter at www.ico.org.uk or find us on… @iconews Data Protection Practitioners’ #DPPC2018 Conference 2018