What it Means
Regulations in which companies process personal data of their clients have been tightened under GDPR. Consent is at the heart of the new regulation and it is something that companies should pay particular focus to during their GDPR preparations.
Organisations can break the principle down in to three questions; whose personal data are they collecting, why are they collecting it, and how are they approaching the subsequent processing of the data. The “data subjects” should be clearly defined. For example, a “data subject” is defined as “living individual to whom personal data relates”, therefore they are any client of which an organisation controls and processes their personal data. The reason for the collection and processing of personal data should be clearly determined and documented upon a legal basis. The approach to the processing of the data is centered around consent.
The following conditions must be adhered to in order for consent to be deemed valid:
- Consent must be given from their own free will, without force and there must be no requirement for unnecessary details.
- The person/data subject must be clearly informed, in plain language, what exactly is being asked of them and how they can opt-in or out.
- In relation to the above conditions, the consent given will be specific only to the processing at the stated time of consent and cannot be used or changed later without further consent.
- Positive action must be used to indicate consent i.e. the person must submit a form or tick a box to give indication of their consent.
Should an organisation meet these conditions already, existing consent from clients shall be deemed valid. In the case of persons under the age of 16, processing of their personal data is only lawful if parental consent is also given in addition to compliance with the above terms.
In regards to your data processing, you must also ensure data subjects are also informed and aware of the following:
- The identity and the contact details of the controller or its representative
- The contact details of the data protection officer
- The purposes of the processing
- The legal basis for the processing
- Where the processing is based on a legitimate interest, details must be provided
- The recipients or categories of recipients of the personal data
- Details of third country transfers
- The existence of the following rights:
- Access to personal data
- Rectification of personal data
- Erasure of personal data
- Restriction of processing
- Object to processing
- Right to data portability
- Right to withdraw consent
- The right to lodge a complaint with a supervisory authority
- Whether the provision of personal data is optional or compulsory
- Rights in respect of Automated Decision Making