In recent years, new GDPR (General Data Protection Regulations) incentives have shifted the way businesses and organizations go about collecting, storing and processing customer data. Before the EU’s GDPR was introduced in 2018, it was free rein on processing customer data. Companies were getting away with data harvesting and exploiting data for their own incentives. But GDPR has rapidly changed all that.
Now companies must adhere to particulars that are ethical in the eyes of the law. Businesses who wish to collect and use the data of individuals now need valid consent. They must also allow them access and control over their data. And since GDPR has been put in place, organizations both large and small have had to learn about data and data processing and the new rules around them. Most also require a GDPR representative. These are individuals or organizations that represent an organization and liaise with the supervisory bodies and help organizations remain compliant with these evolving and sometimes complex data protection laws.
In this article, we’re going to answer the question of how you gain valid consent when processing customer data as a business. We’ll cover the most important details that’ll help you understand what valid consent is, how to get it and how to remain GDPR compliant.
What is valid consent?
Consent broadly means giving people genuine choice and control over their data is handled and used. Simply, if individuals aren’t given a real choice, consent is not freely given. In the eyes of data processing and GDPR compliance individuals, come first and must have a choice and control over who has and does what with their personal data.
Valid consent, defined by GDPR Article 4(11) is:
‘Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
When you’re trying to collect personal data, whether that be on your website through an email sign-up or when a customer purchases goods and services from you or you take their details when they’re buying goods and services from you, people must be able to refuse consent without detriment. They must also be able to withdraw consent with ease at any time. And it also means consent should not interfere with terms and conditions.
Furthermore, GDPR sets out further conditions for consent. These include specific provisions:
- Organizations must keep records to demonstrate consent.
- Prominent and clarity of consent requests at all.
- Giving the right to withdraw consent easily at any time.
- And consent must be freely given if a contract is conditional on consent.
In a nutshell, individuals must always have freedom of choice in terms of their personal data processing.
What exactly is personal data?
It’s important to know what types of personal data fall under the need for consent according to GDPR. Broadly speaking, personal data refers to and includes:
- Names and addresses.
- Email addresses.
- Identification card numbers.
- Location data (e.g. location data as displayed as a function on mobile devices).
- IP addresses.
- Cookies and cookie ID.
- Behavioral data and demographics data (such as those collected in statistics on Instagram, for example).
- Data held by a hospital or doctor which uniquely identifies a person.
Personal data only includes information relating to natural persons who can be identified or who are identifiable directly from the information or who may be indirectly identified from the information when combined with other information.
How do I gain valid consent for processing customer data?
Now that you understand what valid consent means and what constitutes personal data which needs consent, we can speak on how you go about gaining valid consent for processing customer data.
GDPR both in the EU and the UK set high standards for organizations that wish to gain consent. But by using this checklist, you can help keep yourself aligned with GDPR and collect personal data safely, ethically and lawfully with valid consent.
Before attempting to collect, store and process data, check if: