Consent is probably the issue most people associate GDPR with.
Processes and procedures should be reviewed on how you seek, record and manage consent.
After reviewing those procedures and processes, you should seek consent again if your existing ones are not compliant with GDPR standards.
The ICO published detailed guidance regarding consent, you can download a PDF here.
As a summary, the ICO document indicates:
The GDPR sets a high standard for consent.
Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
Consent means offering individuals genuine choice and control.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
Explicit consent requires a very clear and specific statement of consent.
Keep your consent requests separate from other terms and conditions.
Be specific and granular. Vague or blanket consent is not enough.
Be clear and concise.
Name any third parties who will rely on the consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
Keep consent under review, and refresh it if anything changes.
Avoid making consent a precondition of a service.
Public authorities and employers will find using consent difficult.
Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate.
Consent should be drafted to allow individuals to retain control over their data, and allow you to build trust and engagement, offering genuine choice and control
Consent must be positively opted in, you can't offer pre-ticked boxes as a way to obtain consent by default. This will not be consider as an acceptable consent, and if you are doing this now, it is a good idea to change this approach, as all of those consents you obtained with a default pre-ticked box will not be valid.
Consent must be clearly sought, wording must be clear so individuals are aware of what you are asking consent for, in other words: Be clear and concise!
Name all third parties that will rely on the consent sought. If you are obtaining consent for a subscription, but then a third party manages the subscription on your behalf (typical situation for magazines these days), then you should mention that third party organisation.
It should be easy for people to withdraw consent. You should make it clear to them how this can be done and the information to do so should be easily accessible.
Keep evidence of consent, who consented, when they did so, how they did so, and what you told people. It would be a good idea to keep a historic record of terms and conditions, so you can easily show what it was that people agreed to originally.
Consent is not forever. If you change any conditions of service, you should refresh consent.
Avoid making consent a pre-condition to a service. ie: There are lots of places that offer free wifi these days on condition you consent to receiving marketing offers from them. This will not be accepted under GDPR. If wifi is free, it is free and you consenting to receiving marketing material should not be mandatory to receive the service.
Consent is not the only way you can process personal data. Some situations like buying a service or a subscription require you to process customer data in order to offer that service or subscription. Think of the most logical lawful basis for processing data rather than making it all about consent.
GDPR is coming into force on 25th May 2018
< 6. Lawful basis to processing data 8. Children >