Article 7 of the GDPR states that:
…the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
In addition to the overtly stated requirement in Article 7 there are several other instances in which controllers and processors need to be able to demonstrate a compliant approach to gaining of consent. It is therefore important to not only demonstrate that you have obtained consent but also that the consent was obtained in the correct manner and therefore remains a lawful basis for processing personal data. A consent report or record should there include at least the following:
- The rights the person providing consent has been made aware of their rights, specifically including the right to withdraw consent
- Where and how consent is given
- The purposes for which the data will be used and therefore the basis for consent
- How consent is presented – in a clear manner and separate from other information
- The request and verification of parents where processing data relating to children
The consent report is best constructed in two stages: prior to consent being taken and once consent has been obtained.
Prior to consent, document:
- the purposes for which you want to obtain consent
- how consent will be presented and what information you will provide with the request for consent
- any verification, checking or follow-on processes that relate to the consent
After consent is taken:
- Time and date that consent was given
- How long the consent is valid for
The steps prior to consent being obtained are likely a one-time documentary exercise, this documentation being reviewed regularly in line with other measures. The steps after consent will often be automated via computer systems to give a log of which consents were obtained and when.
A newsletter is created to tell existing customers about an upcoming product launch
- The reasons for contacting your customers are documented and explained to them and permission to send the newsletter is sent separate to other requests. In the request you have explained the customers rights and that they can withdraw from the newsletter at anytime. In this case the consent is obtained by an opt-in tick box on a online form which allows you to create a log of where and when the customer gave consent to receive this newsletter.
Business cards are dropped in a bowl at a marketing event
- A clear notice is displayed next to the bowl which explains what you will do with the information on the business cards placed inside. The notice also explains that, by proactively placing a business card inside the bowl, consent is being given for your organisation to make contact for the stated purpose. Also available in the immediate vicinity is information on the business card holders rights and how they can withdraw this consent at a later date if they so wish.
- GDPR Recitals: 42
- GDPR Articles: 7