The General Data Protection Regulation (GDPR) is a set of regulations enforced in the European Union to protect consumer data privacy and instill new controls over data ownership and use. While only having jurisdiction in the EU, this law has had a major impact on how companies do business in Europe, especially digitally.
Here, we’ll discuss some of the compliance requirements in place under GDPR for consent and privacy. These requirements are deeply ingrained into GDPR law and impact the professional and technical operations of organizations operating in the EU.
What is Consent Under GDPR?
Under Article 4 of GDPR law, consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s witches by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
What does this mean? Well, it’s important to note that GDPR enforcement is rather strict, and as such, the meaning of the definitions provided in Article 4 are incredibly important to how organizations operate. The keywords in the article are:
- Informed: Consent can only be given by a data subject when they are informed that they are giving data, they are told why they are being asked to provide personal information, and what the information is for.
- Unambiguous: Consent cannot be gained through rhetorical tricks or poorly-worded disclaimers. The collecting organization must make it abundantly clear that they collect information for certain business purposes.
- Specific: Under other parts of GDPR law, businesses are only allowed to collect and process data for specific and clearly-defined purposes. Using data outside of these stated purposes can result in non-compliance. Businesses must gain consent with a specific disclaimer of collection purposes.
- Freely Given: The data subject must provide final consent of their own power. That means collection and marketing efforts utilizing “opt-out” models, typical in the U.S. and other countries, are not compliant.
While these laws seem like they are placing an undue burden on businesses, the truth is that they call for these businesses to actually inform consumers about data collection and gain clear, documented consent first.
This approach is colloquially known as an “opt-in” approach. Businesses operate through an opt-out model in most jurisdictions where data collection and marketing efforts can start without direct consent. It’s up to the consumer to opt-out of the collection, data processing or marketing. Under GDPR, however, a business must have permission to opt consumers into any business processing.
How Can I Be Compliant with GDPR Consent Laws?
Consent might initially come across as a business and logistics question. However, this law significantly impacts digital business operations, including website operations, marketing efforts and data processing. As such, consent has quickly become an IT compliance issue.
For example, you may have started noticing the increased presence of cookie-related permission forms popping up on large websites, forms with detailed disclaimers and one (or several) buttons allowing you to select how the site collects browsing information. These websites are operating, or potentially operate, in the EU, and as such, any practice of collecting browsing data is governed by GDPR. To stay compliant, these sites are now complying with consent laws.
As many IT and compliance officers learn, an organization must gain, document and prove consent to maintain compliance. This isn’t a business problem; it is a technology problem because a business must have proof of consent for each use of consumer data.
So, then, how does an organization stay compliant with consent laws? There are a few primary approaches:
- Clearly-Defined Consent Form Elements: Consent online can be given through (clearly defined, articulated and documented) check boxes or buttons. Make sure that any form that contains consent-gathering elements are clearly marked as to the purpose they serve.
- Automate Documentation of Consent: Once the consumer provides consent, this information must be stored in a secure server. It must contain what they’ve consented to and identifying information demonstrating their consent.
- Immutability: Records of consent, much like any other form of personal information, must be secure against tampering. This means protections against breaches and event-based audit logging and reporting that can be produced for compliance audits.
- Include Easy-to-Find Opt-Out Instructions: Either in the consent forms or in subsequent communications, your organization should always include instructions for the quick and easy withdrawal of consent when the consumer wants collection and marketing to end.
Maintain GDPR Compliance with Automated Audits from Continuum GRC
Parts of GDPR compliance are strictly business–ensuring that forms, contracts and communications are worded in such a way as to meet the demands of the law. Others, such as implementing forms online and maintaining immutable, secure compliance records, are IT issues. Fortunately, IT compliance can be subject to rapid, automated compliance audits to ensure adherence to requirements.
If you’re operating in the EU or plan to shortly, trust Continuum GRC and our ITAM automated auditing platform to help you get your systems in line with GDPR compliance. Our systems are fast, accurate and modern, reducing audit times from months or weeks to mere days.
Call Continuum GRC at 1-888-896-6207 or complete the form below.