Consent is an important part of human society, particularly the modern one. Whether it’s using a friend’s property or establishing an amorous relationship, “yes” matters a lot. Let’s link this back to data protection.
Since it’s implementation, the GDPR places value on consent. This blog post gives answers about consent under the GDPR, what a GDPR consent statement is, and how to write one.
What is a GDPR consent statement?
In cases where organisations need to obtain consent, it’s vital that the clients or persons are informed. To do that, a GDPR consent statement becomes necessary.
A GDPR consent statement is a clear declaration by organisations to get consent from individuals before collecting, processing, and storing their data. This is in accordance with the General Data Processing Regulation (GDPR).
What is the GDPR?
On may 25, 2018, the European Union decided it was time to toughen up data protection. And so the GDPR came to be. The General Data Protection Regulation (GDPR) is the most comprehensive law for data protection in the world, with many adaptations of it. For example, the NDPA (Nigerian Data Protection Act)
The goal of the law is to grant data subjects (owners of data) more control over their data and it’s processing. majorly, the GDPR focusses on personal data and sensitive data. Under the EU regulation, personal data refers to information that identifies an individual,e.g, name, age, job, etc. while sensitive data under the GDPR include vulnerable data such as bank details, National Identification Number, health status, etc.
The Basic Principles of the GDPR :
-
- lawfulness, fairness, and transparency
-
- Data minimisation
-
- Purpose limitation
-
- Integrity and confidentiality
-
- storage limitation
-
- Accuracy
-
- And accountability.
Who does the GDPR apply to?
The GDPR applies to any organizations that
-
- Process personal data of EU citizens regardless of its location,
-
- Operate fully or partially (a branch) in the EU.
When it comes to punishing the non-compliant, the General Data Protection Regulation earned it’s reputation as the strictest data protection law. For example, the Italian data protection authority, the Garante, issued its largest GDPR fine of over €79 million against ENEL Energia for telemarketing misconduct. So, you don’t want to get on the wrong side of the law.
Need help with GDPR compliance? Book a free consultation with our experts at Johan Consults.
Consent and the GDPR
The GDPR places a lot of importance on data subject consent to data processing. Although consent is one of the lawful basis for processing data, it’s not compulsory.
What does that mean? A common myth of the GDPR is that you always need consent to process data. That’s not true. In fact, you can find other reasons if consent proves hard to get.
Consent is only appropriate when you are sure you can stop processing when the subject opts out. Because it would be terrible if you went ahead to process data even when the individual said now.
Also, consent as a precondition of a service may not be lawful So, if you can process data legally without consent, go ahead. Otherwise, you might face harsh penalties for wrong consent practices.
What is valid consent?
The GDPR places utmost priority on consent and how it’s gotten. Here’s what the GDPR considers valid consent.
Consent given freely; this is very important. With no form of coercion or similar acts. The individual must have genuine choice and control over their data—no hanky-panky. The consent includes the data controller’s identity, processing purpose, and the procedure for processing.
Valid explicit consent must be communicated in words, and consent requests must be clear and unbundled from other information. That way, it’s easily identified.
So, what’s the importance of a GDPR consent statement?
The following are reasons to use a GDPR consent statement
-
- GDPR compliance and penalty avoidance: since consent is one of the lawful basis for data processing, the GDPR has standards for it. A clear consent statement shows the organisation complies as necessary. Also, the organization gets to avoid a GDPR fine of up to 4% of global annual revenue or €20 million (whichever is higher).
- User control: the GDPR grants data owners more control over their data. And a GDPR consent statement gets the job done. It expalins their rights in clear, concise words, thus granting them power.
- Trust: a consent statement shows the organisation strives to attain transparency. Naturally, individuals will trust the brand more—perfect for business.
Example of a GDPR Consent Statement
The example below serves as a perfect depiction of a GDPR-compliant consent statement. Let’s measure it against the key features of a consent form.
“By checking this box, I consent to Techdella collecting and processing my personal data for the purpose of receiving newsletters, marketing materials, and service updates. I understand that my data may be shared with third-party partners for analytics and marketing purposes. I also acknowledge that I have the right to withdraw my consent at any time by contacting support@techdella.com, and I can request access to, modify, or delete my data. For more details, see our Privacy Policy.”
The key elements of a GDPR consent statement
Purpose: A clear explanation of why data is collected and how it’ll be used—’for the purpose of receiving newsletters, marketing materials, and service updates.’
Data sharing: whether data will be shared with third- parties and “may be shared with third-party partners for analytics and marketing purposes.”.
User rights: The consent statement must inform individuals about their rights, such as access, rectification, and consent withdrawal. – “The right to withdraw my consent at any time by contacting support@techdella.com, and I can request access to, modify, or delete my data.”
Clear action: it must have an an opt-in mechanism like a checkbox for explicit consent. – “By checking this box, I consent.”
Contact details: Lastly, a valid consent statement must provide contact details for data protection. – “support@techdella.com”
How To Write a GDPR Consent Statement
Since you know what a consent statement should contain for valid consent, here’s a step-by-step guide to writing a compliant GDPR consent statement.
-
- State the purpose
State clearly the purpose for which you’re collecting data. Be very specific; is it for marketing, analytics, or whatever? Also, if there are more reasons than one, make sure to state them separately. This ensures enough clarity.
-
- Provide means of explicit action for consent.
Ensure users take explicit actions to give their consent. Examples: clicking a button, checking a box. Note: pre-checked boxes aren’t acceptable. Importantly, avoid implied consent, like continuing to use a website as a form of acceptance.
-
- Inform about data sharing
If you’ll share the data with a third party for any reason, include who they are and what they do, together with the reason why. Additionally, if data transfers will happen, let them know where to and how the data will be protected.
-
- Inform about data retention
Your consent statement must include how long you will store data and what will be done once it’s not needed anymore.
-
- Include user rights
Include the following rights of individuals in it:
-
- The right to access their data.
-
- The right to correct or update their data.
-
- The right to delete their data (right to be forgotten).
-
- The right to withdraw consent at any time. Clearly state that users can withdraw consent at any time and explain how they can do so, ensuring that it’s as easy as giving consent.
Make sure to provide instructions on how users can exercise these rights.
-
- Add contact information
Ensure you add contact details—an email address is enough—where users can reach for enquiries or consent withdrawals.
Note: a GDPR consent form is best short, clear and written in plain language
In conclusion
A GDPR consent statement is important for organisations that wish to obtain consent in compliance with the GDPR. You get to avoid fines and build customer trust.
Need help with GDPR compliance or any other data regulation? Contact Johan Consults for an assessment.
