In recent years, new GDPR (General Data Protection Regulations) incentives have shifted the way businesses and organisations go about collecting, storing and processing customer data. Before the EU’s GDPR was introduced in 2018, it was free rein on processing customer data platforms. Companies were getting away with data harvesting and exploiting data for their own incentives. But GDPR has rapidly changed all that.
Now companies must adhere to particulars that are ethical in the eyes of the law. Businesses who wish to collect and use the data of individuals now need valid consent. They must also allow them access and control over their data. And since GDPR has been put in place, organisations both large and small have had to learn about data and data processing and the new rules around them. Most also require a GDPR representative. These are individuals or organisations that represent an organisation and liaise with the supervisory bodies and help organisations remain compliant with these evolving and sometimes complex data protection laws.
In this article, we’re going to answer the question of how you gain valid consent when processing customer data as a business. We’ll cover the most important details that’ll help you understand what valid consent is, how to get it and how to remain GDPR compliant.
What is valid consent?
Consent broadly means giving people genuine choice and control over their data is handled and used. Simply, if individuals aren’t given a real choice, consent is not freely given. In the eyes of data processing and GDPR compliance, individuals come first and must have a choice and control over who has and does what with their personal data.
Valid consent, defined by GDPR Article 4(11) is:
‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
When you’re trying to collect personal data, whether that be on your website through an email sign-up or when a customer purchases goods and services from you or you take their details when they’re buying goods and services from you, people must be able able to refuse consent without detriment. They must also be able to withdraw consent with ease at any time. And it also means consent should not interfere with terms and conditions.
Furthermore, GDPR sets out further conditions for consent. These include specific provisions:
- Organisations must keep records to demonstrate consent.
- Prominent and clarity of consent requests at all.
- Giving the right to withdraw consent easily at any time.
- And consent must be freely given if a contract is conditional on consent.
In a nutshell, individuals must always have freedom of choice in terms of their personal data processing.
What exactly is personal data?
It’s important to know what types of personal data fall under the need for consent according to GDPR. Broadly speaking, personal data refers to and includes:
- Names and addresses.
- Email addresses.
- Identification card numbers.
- Location data (e.g. location data as displayed as a function on mobile devices).
- IP addresses.
- Cookies and cookie ID.
- Behavioural data and demographics data (such as those collected in statistics on Instagram, for example).
- Data held by a hospital or doctor which uniquely identifies a person.
Personal data only includes information relating to natural persons who can be identified or who are identifiable directly from the information or who may be indirectly identified from the information when combined with other information.
How do I gain valid consent for processing customer data?
Now that you understand what valid consent means and what constitutes personal data which needs consent, we can speak on how you go about gaining valid consent for processing customer data.
GDPR both in the EU and the UK set high standards for organisations that wish to gain consent. But by using this checklist, you can help keep yourself aligned with GDPR and collect personal data safely, ethically and lawfully with valid consent.
Before attempting to collect, store and process data, check if:
- You have checked that gaining consent is the most appropriate lawful basis for processing data.
- You have asked people to opt-in of their own accord.
- You have made the request for consent prominent and separate from your terms and conditions.
- You use clear, plain language that is easy to understand by everyone.
- You specify why you want customer data and what you’re going to use it for.
- You allow individuals to withdraw consent at any time.
- You name your organisation and any third-party controllers who’ll be relying on their consent.
- You ensure individuals can refuse to consent with detriment.
- You avoid making consent a precondition of any service.
- If you offer services to children, you only seek consent if you’re able to obtain consent through age-verification measures (and parental consent measures).
Interesting Related Article:”Using Customer Data To Enhance Your Customer Loyalty and Engagement“