Ask for consent
Describes the GDPR guidelines for consent.
The GDPR rules for consent are much more strict than the previous legislation. To collect PII data, you must ensure consent from anyone about whom you want to collect data.
In certain situations, consent does not have to be given, such as when you need the data to fulfill a legal obligation toward the data subject.
Format consent
GDPR states consent must be "freely given, specific, informed and unambiguous and requires affirmative action." This means that the consent needs to be active and that it is not enough to add an option: "If you continue to go to this site, you let us store your personal data." The data subject must actively enter their email address and enable a box or similar action. Checkboxes cannot be enabled by default.
You must write the consent notification in clear and simple language to ensure that the data subject understands what they consent to. You also must explain the purpose of the data collection and how the PII data will be used.
Suppose you want to use the PII data for different purposes. In that case, each purpose must be clearly stated, and the data subject must consent to, or not consent to, each purpose individually. The consent form should also include a link to your privacy policy.
Store consent (versions)
When you need a data subject's consent, you must store that consent (perhaps in a user profile). You must also keep track of the consent given by the data subject to match the consent with the exact purpose and collected data.
For example, if you set up a web form to collect names and email addresses from potential customers. Later, you also need their phone numbers, so you add a phone number field to the web form. In this case, you need to track which version of the form the data subject consented to. You will also need a clear explanation of why you need an email address and phone number and to provide the customer with the option to consent to one but not the other.
Withdraw consent
Withdrawing consent must be as easy as giving consent, and the data subject can withdraw consent at any time. Preferably, you should have an automatic procedure where the data subject can log in and delete their consent. The data subject should not have to phone you and ask you to remove their consent.
Updated 8 months ago