Personal data & GDPR: How the role of consent has changed
When the GDPR comes into force there will be changes to how businesses gain consent to use a person's data. Here we take a look at how this will differ from the current law.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 will mean that the current Data Protection Act regarding consent will change. In particular, the parental consent given regarding a minor online will strengthen so that children and young people are protected.
Conditions surrounding consent have been restructured, meaning that companies will not be able to use long and complex terms of condition that are full of legal jargon. Instead, the request for consent must be easily accessible, easy to understand and have the purpose for data processing attached to the consent.
In addition, consent must be clearly distinguishable from other matters, while providing an intelligible and easily accessible form, with clear and plain language. Withdrawing consent must also be as easy as giving it, as users will now have a ‘right to be forgotten’.
The data of minors
As of May, for the first time, the GDPR will require parental consent before information society service providers can process the personal data of children under 16 years of age. Although this is a new avenue for Europe that will no doubt face many interpretations and implementation challenges, it is currently in practice in the US and has been for almost two decades.
Moving forward, companies can not regard consent as an area to generalise and brush over, and they must work now to prepare for the upcoming regulation to avoid heavy fines that could be damaging to their business.
Organisations and companies must think now about rephrasing and rewording their current information surrounding consent. They must provide greater specification about what is meant by consent, considering the legal grounds. They will have to establish whether or not there is an available alternative to the consent path.
Given the extensive lengths that a data controller will have to go to demonstrate valid consent, it is hard to decipher what further steps could be needed to distinguish such a consent from one that is explicit.
However, codes of conduct could be a possible way to create standards for effective consent verification, and the GDPR encourages data controllers to adopt codes of conduct that take into account the specific features of each business.
Does your company need an introduction to GDPR? Check out our free overview course today.