Training a team? Speak to us on 01943 885085
Last updated: 11.10.17

Personal data & GDPR: How consent has changed

General Data Protection Regulation (GDPR) officially came into force on May 25th 2018, changing the rules around data consent as outlined in the old Data Protection Act.

Personal data and GDPR

Under GDPR, conditions surrounding consent have been restructured, meaning companies should no longer be using long and complex terms and conditions that are full of legal jargon. Instead, information on data privacy must be easily accessible, easy to understand and let consumers know exactly how their data will be stored, used and processed.

What's more, rules around consent must be distinguishable from all other privacy matters and be outlined in clear and plain language. GDPR provides consumers with a 'right to be forgotten', so withdrawing consent for data usage must be as easy as giving it.

The legislation requires companies to give their customers an 'opt-in' option to having their data kept on file, and bans pre-ticked opt-in boxes. In addition, businesses need to keep clear records demonstrating exactly where consent has been given.

Personal data and GDPR: Minors

One of the biggest changes to come in with GDPR is that parental consent is now required before internet service providers can process the personal data of children aged 16 and under. A similar rule has already been in place in the US for almost 20 years.

This change in particular demonstrates how companies can no longer simply generalise and brush over data consent. If they do not take GDPR's data consent laws seriously, they could face hefty financial penalties.

GDPR considerations

Ahead of the introduction of GDPR, businesses should have spent time rewording their current data consent policies to provide greater clarification to consumers.

Measures should also be in place for determining the difference between valid and explicit consent, with a data controller appointed to deal with any personal data consent-related queries.

Every company should also have a code of conduct to implement standards for effective consent verification, taking into account the specific features of their individual business.

Remember, the penalty for failing to comply with GDPR and provide clarity on consumers' personal data can be as much as €20 million, or four per cent of a firm's annual turnover, depending on which is greater.

Want to know more about what's changed regarding personal data and consent following the introduction of GDPR?

Does your company need an introduction to GDPR? Check out our free GDPR overview course today.

Related resources