The identity of the controller, the exact purposes of the data use, the processing activities involved and the right to withdraw consent should all be included to ensure the individual is fully informed.
Establish clear withdrawal mechanisms and regularly review procedures to ensure any changes to processes are responded top as required.
"It's crucial that it's sustainable," says Wood. "It has to be embedded in the organisation. There's got to be a range of people who actually can take responsibility for different parts of the process."
When consent is needed
Consent will likely be required if there is a need to give a real choice and control over data use, such as sending marketing material, installing mobile apps or tracking website cookies.
However, consent isn't always essential. If offering a choice is not possible, there may be other more appropriate procedures for data use in some circumstances.
Common examples of when consent would not be appropriate are if the data use is a precondition of using your service, it would be lawfully processed anyway or you are in a position of power over the individual consenting, it's legally required, a public task, or not doing it would endanger an individual's life.
Other lawful foundations for the data use could be legitimate interests, the processing being necessary for the performance of a contract, the performance of a public task it serving a vital interest, or processing it being of vital interest.
The requirements may appear daunting at first, but they also offer an opportunity for organisations to build customer trust and strengthen their reputations. The value of data will continue to rise, and it will become ever more important for companies to manage it accurately.
Sign up for CIO Asia eNewsletters.