GDPR or General Data Protection Regulation was implemented on May 25th, 2018 in the public interest of data protection. It applies to all dealing with EU citizens. GDPR is considered to be one of the major changes data privacy and protection has seen in the past 20 years, It has many bases when it comes to the processing of data, one of them is consent.
When the legal basis of data collection is consent, user consent is required before any kind of personal data is collected from them. Consent is a very easy need to satisfy. While entering any user data or giving consent to use user data, users need to be informed This practice will help all website owners to avoid hefty fines for non-compliance of GDPR.
The other legal bases of GDPR are,
- The processing of data is allowed if the data subject is under a contract.
- Processing of data is allowed to comply with a legal obligation.
- Processing of data is allowed when it comes to the public interest or official function.
- Processing of data is allowed when it comes to saving a life.
- Processing is allowed when in legitimate interest. However, this might not be applicable in the case of sensitive data, like that of a child.
Conditions for Consent
- When processing of user data is based on consent, the controller needs to be able to demonstrate that the consent of the user has been obtained for the processing of their data.
- If the consent of the user is given in a written format, the request should be presented to the user in a clear manner using plain and understandable language.
- The data subjects should have the right to withdraw from their consent at any time. This is something the data subjects need to be informed prior to giving consent.
- When checking if consent is given freely, irrespective of what contract the user might be under, no unnecessary data is to be collected from the user.
Let us discuss some of these in further detail.
Consent must be given freely
Free given consent is important in GDPR, instead of making the user give their consent by providing them with less information and deceiving them. While drawing consent, the data subject should not feel pressurized or compelled to give in their permission and should have the right to refuse or withdraw from the consent given.
An exception to this is when the need for payment arises and you need their bank or credit card details to make the purchase. Other than such cases, separate consent is required for each and every data processing operation.
Consent must to the point
When consent is requested from the user it should be done in such a manner that is clearly distinguishable from other matters. For example, when collecting email address or IP address one should not write a long paragraph of details on how the content is going to be operated. Instead, separately explain each data use and give the user the opportunity to consent each activity individually.
When it comes to cases where one data is used for more than one purpose, for example, if your website stores phone numbers for identity verification and marketing, consent is required to be obtained for each purpose separately.
Consent must be informed
Every user needs to know what they are signing up for and how can they withdraw from what they just sign up for. Without involving any technical terms the identity and working of your website must be made clear to the audience.
Consent must be unambiguous
This means that the data subject’s inactivity or pre-checked boxes appearing on the screen should not be taken as consent. Consent is only considered when data subject themselves tick a box which clearly states them agreeing to share and process their personal information.
Consent can be revoked
Although GDPR does not say for how long does consent be valid, in many situations holding onto user data based on there for longer periods when it is no longer valid violates their right to be forgotten.
A data subject must be free to decline and withdraw from the consent they provided any website to use their personal data. Every data subject has the right to be forgotten and has its data erased from a website if they wish to do so.
These were some of the requirements of consent under GDPR. GDPR sure might seem a bit complex and a struggle to be in compliance with, but it sure is here to stay and build better data privacy for data subjects.