The topic of consent has received a lot of coverage over the last 12 months. We have seen thousands of companies sending out “re-consent” emails to their customers, and then being surprised with the lack of response. In this data geek’s opinion, there are many companies in for a bigger shock as focus moves on from “do we have consent” to “is this consent legal?”.
Asking someone if they consent to something is complex. There are a number of rules within the GDPR which specify what information you must give someone for them to make an informed decision on whether or not to consent. If you haven’t given someone all of the information required, then you could be putting your company at risk financially and reputationally.
In this blog, I explore 20 of the main “I need to’s…” you need to remember to get a legal consent. I’ve used examples mostly from the recruitment industry, but the theory is the same whoever you are.I need to let my data subjects know I have their data
I need to let my data subjects know I have their data
Rule number one. The big one. People out there have no idea how many companies are holding on to their data, or what’s being done with it. GDPR talks a lot about transparency, which starts with letting people (data subjects) know that you have something. We’ve all seen our personal inboxes bombarded in the past few weeks with emails from companies trying to tell us exactly this (and most of them made a complete mess of it).
I need to let my data subjects know who I am
It seems obvious, doesn’t it? Telling someone who your company is and what you do. Remember, if you are Jill Smith Ltd, trading as “I Love Shoes” then make sure people understand exactly how that works. They may have never heard of your Ltd company name so take the opportunity to tell them. If you tie it all in, they’re more likely to accept what you’re saying and move on.
I need to let my data subjects know what data I have
“We have your contact details and all data from your CV” is not good enough. Be specific. “We process the following from your CV: your name, email address, phone number, job history, qualifications, hobbies & interests”. This is especially important if you’re processing Special Category data such as criminal convictions or medical info.
I need to let my data subjects know why I have their data, and what I will do with it
It sounds obvious, but companies are still getting this wrong. You must let people know why you’ve got their data, and what you intend to do with it. Be transparent, and give them as much information as you can. This will vary rarely be one thing. GDPR makes it clear that you can’t bundle consents together – which leads us nicely into the next point.
I need to make sure I give my data subjects different consent options separately, ie not bundled
I can’t emphasise how important this is. The GDPR makes it crystal clear that you cannot bundle consents together. If you want to do more than one thing with someone’s data then you MUST give them the opportunity to say yes or no to each one separately.
I need to let my data subjects know when I’m sharing their data with others
You can’t just send data to another company or person because you want to. If you are going to send personal data on, then make sure you tell the person who you’re sending it to. For example, if you are a recruitment consultant then make sure your candidates are consenting to you sending their data to a prospective employer.
I need to make sure this info is given in simple English
Legal jargon is a big no under GDPR. We’ve all seen those 16-page privacy policies written by lawyers. Chances are the lay person trying to work out if they consent or not won’t have a clue what it’s going on about. If they can’t understand it, then their consent is unlikely to be legal and you will end up in a sticky position.
I need to make sure this info is easy to understand and concise
Lay out your consent request in small, easy to digest chunks. Think about how the person in question will best identify with what you’ve sent them. Will they react well to a full A4 page of text? Or would they react better to 3 or 4, small, well laid out paragraphs?
I need to make sure this info is not bundled into our terms of business / T&Cs
Again, GDPR makes this very clear. Make sure you separate consent information from any terms and conditions. Terms of business are rarely concise, and are not necessarily easy to understand so they would fail the consent rules straight away. If you need to send T&Cs in one document and a consent request in another, then so be it.
I need to go back to my data subjects from time to time to check they’re still OK with me processing their data
Gone are the days of holding on to personal data for ever. If you’re getting someone’s consent to hold their data, then you need to tell them how long you’ll be processing it for. Make sure you stick to it. If you decide that 2 years is appropriate, then the consent will only be legal for 2 years. After that, go back and re-consent. The data subject will respect you more for sticking to your promises.
I need to let my data subjects you know when I change what I’m doing with their data
If you change what you’re doing with someone’s data then make sure you go back to them as soon as you identify the need for change. There’s nothing wrong with asking for re-consent because you’ve made a change. In fact, think how great that looks to the data subject – “We want to make a change to how we process your data. Here’s the change and here’s why, so please tell us if you’re happy with it”. That’s a great message.
I need to tell my data subjects that they can withdraw their consent and how to do it
Every person who gives their consent for something must be able to withdraw their consent as easily as they gave it. This is an interesting point, and one which has been frequently overlooked. What does this mean in real terms? If you email someone asking for their consent to do something with their personal data, they must be able to email you back to withdraw their consent. That leads on to how would you manage those emails? Who is going to be responsible for actioning them in a timely manner? How can you confirm the ID of the person sending the email?
My data subjects need to tell me if they consent to the above
I saw a cracking “reconsent” email arrive in my inbox from an online retailer just before 25th May. The subject was “GDPR – We need your consent”. The email went on to list all of the normal things you would expect, then at the bottom it just said “If you have any questions please contact us on…” and that was it. The company had been so focussed on getting the email out that they had completely forgotten to ASK for consent. Always remember to ask!
My data subjects need a way of asking me for a copy of all the data I hold on them
Ahh – Subject Access Requests (SARs). They are the data subjects’ way of asking you for a copy of all the data you hold on them. You have 30 days to complete the request, you cannot charge a fee and the clock starts the minute the request arrives in your business. If rumours are true and we see PPI companies re-opening as SAR houses, you must have a process ready to handle incoming SARs.
My data subjects need to tell me if they want me to delete their data
Data subjects have a right to be deleted (depending on the legal basis on which you process their data). This is going to be a manual task a lot of the time, so you need to consider how you would process such requests. Does your CRM system even allow you to delete records?
I need to tell my data subjects that if we deleted their data from our CRM, we need to keep a small amount to ensure we don’t add them on again in the future.
Suppression lists are the way forward. They offer a way of acting upon someone’s request to delete their data, and retaining enough data to ensure they aren’t re-added at a later date. A good consent system will have some sort of suppression list to stop you accidentally processing someone’s data after they’ve asked you to delete it.
I need to be able to prove all of the above
It’s great getting consent from someone, but think carefully about how you would prove it if required. For example, verbal consent is perfectly legal but if you were asked to prove you received it, could you? Recorded phone lines could be the answer but only if you have a good enough system to link the phone recording to a CRM record. It’s best to get consent in writing, and have the proof stored in the same place, every time.
My data subjects need to be able to check all of the above
Your customer/candidate needs to check all of the information you give them before they say yes or no. If they aren’t given all of the information, how can they give an informed consent?
I need to be able to customise the emails my data subjects receive
There is no such thing as a “one fits all” consent template. This comes back to my previous point about not using legal wording. Customise the language so it sounds like your business. People are more likely to consent to something if they believe it is from you.
I need to give my data subjects an easy mechanism to do the things above
When all is said and done, a process is only as good as its execution. We started Obsequio because we know that people need a simple, cost effective way getting all 20 things in this blog done. Consistency is the key to compliance and consent is complex, so make sure you have a solid compliance system in place. That could be manual (for companies who can afford to invest in someone to run the manual processes) or you could find a reputable piece of consent management software to help take some of the strain.
Ready to do consent well? See how Obsequio’s consent management software can make GDPR consent simple, easy and effective.Book a Demo