It’s got nothing to do with the content of your video – explicit consent is a must.
Obtaining your customers’ and suppliers’ consent to collect, store, and use their information is an important part of your GDPR compliance procedures. But, the way you obtain that information, and how you communicate with your customers and suppliers around why you need particular sets of information, is just as important. To clear up any confusion, obtaining the consent of your customers, suppliers, and data subjects are not as simple as asking a yes/no question. Rather, obtaining explicit consent is a far more complex procedure, but one that must be followed. Explicit consent is required when your business needs to obtain special category data for its data subjects. This could include medical records or other specified types of information.
Explicit consent is not only given
Before we continue, don’t forget that – in terms of proving your company’s GDPR compliance, you won’t just have to ensure you’ve obtained explicit consent, you’ll need to be able to prove you obtained it in the right way too. To that end, the process of obtaining explicit consent must be:
- Transparent and specific: When you’re obtaining explicit consent, you need to tell your customers and suppliers, upfront, what you intend to do with their information, how it will be stored, used, and processed.
- Fair: When you’re obtaining consent, you’ll need to ensure that the process is fair to the individual. People, or data subjects, cannot be forced to give their consent.
- Easy to understand: Ditch the jargon! Convert your documentation to plain language, so you and your data subjects can be absolutely certain on the terms and conditions relating to your use, storage, and processing of their information.
The GDPR expanded definition
The process of obtaining explicit consent is, as we said, not as simple as a tick box. The expanded definition includes:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
There is much to unpack when it comes to explicit consent. For example, while an insurance company may need a blood sample for a customer’s application, they are not permitted to merely keep it for an extended period of time, without their customer’s knowledge. Moreover, what the insurance company does with the results of that blood test, and how the blood sample is analysed, cannot be a hidden process for the customer. In terms of GDPR, your business must be entirely transparent with its customers and suppliers, every step of the way. Without this level of clear communication and transparent process, the standard for explicit consent would not be met.
Consent can’t be simplified
It’s been common practice for websites and other online data collection tools, to simply pre-populate forms with the most common or preferred response, using tick boxes or similar mechanisms. This may seem like a simple way to ensure explicit consent, but under GDPR regulations, it’s absolutely inapplicable. Pre-populating tick boxes or text boxes with information cannot be used in your data collection procedures, even if it seems simpler to do so.
Ensuring that your business processes are GDPR compliant includes documenting and ensuring they follow the guidelines for obtaining explicit consent. But, it’s not just GDPR regulations that must be followed. In terms of your territory and operational region, there are other regulations that may apply. At ProPrivacy, we appreciate the UK Information Commissioner’s Office’s definition of explicit consent, as this office outlines the process and definition quite clearly. In terms of the UK ICO, explicit consent is:
- Unique: Obtaining explicit consent is not simply part of the standard terms and conditions. It cannot be a mechanism for stopping or propelling another process.
- Defined: There can be no grey areas when your business is asking customers or suppliers to hand over their personal data. The what, why, when, where, and how, of obtaining the personal data must be clearly and unambiguously defined.
- Nominative: Everyone, and every party, that has access to the personal data being handed over, must be listed and informed.
- Documented: The process of obtaining the personal data must be documented, and so too must the process of obtaining explicit consent.
- Revocable: Your business must make it easy for a customer or supplier to simply revoke their consent, and inform people about the process to do so.
- Balanced: Your business must set out a balanced approach to obtaining explicit consent. Obtaining, using, storing, or processing personal information cannot prejudice your clients, or your business, in any way.
If you’re concerned about your business’ processes and procedures, ProPrivacy can help. We’ll help you ensure your business is on the right track towards GDPR compliance.