The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Central to the changes on data regulation is a strengthening of the rules around obtaining consent, intended to give individuals choice and control over their data on an ongoing basis.
The regulation places an increased emphasis on clarity from the beginning and dynamic consent that is consistently monitored and managed and puts the individual in control. It needs to be clear, transparent, and in plain language.
A positive opt-in is necessary, meaning an affirmative that unambiguously indicates the individual's wishes. It must describe the exact implications of what is being agreed to. Consent by default is not sufficient, and pre-ticked boxes have been explicitly banned.
Every specific operation requires granular consent, and any third parties who rely on the consent should also be clearly named. Consent mechanisms must be prominent, concise, and easy to understand for each individual chunk of data and collection method. If anything about the original consent changes, such as the purpose of processing the data, a further consent will be required for the new purpose.
Procedures should be in place make it easy to withdraw consent at any time, and individuals must be made aware of this from the outset. Their consent must be a genuine choice, and cannot be a condition of service.
Any complex technology used must be fully comprehensible in simple explanations. Artificial Intelligence, for example, will require a level of algorithmic transparency that can be understood by an average person.
The form of consent now required could force some organisations to approach the same individuals again for further permission to use their data, but those that are already following good practice should be okay.
"If your content is of a high standard now for the personal data you're processing, then you can continue to rely on that consent under the GDPR," says Head of International Strategy and Intelligence at the UK Information Commissioner's Office (ICO) Steve Wood.
"GDPR is creating a greater focus on making sure that consent is specific and granular as well. GDPR is focusing on the record-keeping around consent and the audit trail you need to have.
"Consent has got to be easy to withdraw, and you're going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with."
Keep clear records of all consent taken. This should include details on the individuals concerned, what they consented to, when they provided the consent, and what information they were given. If they withdraw any consent, that should also be documented. All consent documentation should be kept separate from any other company documents.
Sign up for CIO Asia eNewsletters.