The increased consent requirements under the GDPR have been a hot topic lately, due to the Article 29 Working Party’s recently issued draft guidelines on consent, and as May 25 approaches, questions about how to comply with these requirements are pouring in at OneTrust. In this post, we will provide some practical tips to data controllers for meeting the GDPR’s stringent consent requirements, and how to put consent management into practice.

Identify your processing activities

First, if your organization has already created records of processing (or a “data map”) to meet Article 30 requirements, those records can be looked to first to identify what processing activities rely on consent. These records are not only required under Article 30, but can also serve as a tool when working toward meeting other requirements as well, so consider expanding the scope of these records to include information about legal basis and consent.

Assess whether consent is the most appropriate legal basis

After you have identified where consent is being relied upon, ask this question: “Is consent really the most appropriate legal basis for this processing activity?” It should be taken into account that consent may not be the best choice in the following situations:

  • When the organization would still process the data under a different legal basis, even if consent is refused or withdrawn;
  • Where consent cannot be refused or withdrawn without detriment to the data subject;
  • Where the organization is in a position of power over the data subject; or,
  • Where a processing activity is necessary for the performance of a contract.

As stated by the WP29, “a controller must always take time to consider whether consent is the appropriate lawful ground for the envisaged processing or whether another ground should be chosen instead.” If you are struggling to obtain or manage valid consent for a particular activity, it could mean that another legal basis may be more appropriate.

Formulate consent requests

The GDPR also includes requirements for making a valid request for consent. For example, under Article 7(2), where a “data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.”

Therefore, it's important to ensure that consent requests are kept separate from other terms and conditions, that technical and legal jargon is avoided, that the request is prominent and clearly visible to the data subject, and is user-friendly (i.e., not unnecessarily disruptive).

Provide adequate information

One of the essential elements of valid consent under GDPR is that it be informed. Informing data subjects about the processing of their personal data is vital to their understanding of what it is that they are consenting to, and ensures that real choice is provided to them.

According to the WP29, the following should be provided to the data subject, at a minimum:

  • The controller’s identity;
  • The purpose of each of the processing operations for which consent is sought;
  • The types of data that will be collected and used;
  • The existence of the right to withdraw consent;
  • Information about the use of the data for decisions based solely on automated processing, including profiling, in accordance with Article 22(2); and,
  • If the consent relates to transfers, about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards (Article 49(1)(a)).

To ensure that this information is conveyed in a manner that remains clear, concise and not unnecessarily disruptive, the use of layered and just-in-time notices should be favored. However, it is important to note that the initial layer contain all of the key information needed for there to be an informed choice.

Record consents

Another requirement of the GDPR, found in Article 7, is that controllers “be able to demonstrate that the data subject has consented to processing of his or her personal data.” One way of doing this, according to the WP29, is to “keep a record of consent statements received, so [the controller] can show how consent was obtained, when consent was obtained and the information provided to the data subject at the time ... [and] also be able to show that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent.”

With that guidance in mind, and from a practical standpoint, consider keeping records of the following:

  • The name or other identifier of the data subject that consented;
  • The dated document, a timestamp, or note of when an oral consent was made;
  • The version of the consent request and privacy policy existing at the time of the consent; and,
  • The document or data capture form by which the data subject submitted his or her data.

Consent receipt mechanisms can be especially helpful in automatically generating such records. 

Manage consents and refresh as required

While the GDPR does not specify a time limit for how long consents will last, it has been inferred by many that the validity of consent could degrade over time, and the WP29 has recommended “as a best practice that consent should be refreshed at appropriate intervals.”

Pursuant to this recommendation, you may consider using tools that provide visibility into your organization’s various processing activities and how they change over time, allow for reminders to be set for refreshing consent at regular intervals, and that provide data subjects with the ability to directly control their consent preferences. 

Set up a process for withdrawal

Under Article 7(3), data subjects have the right to withdraw consent at any time. Additionally, controllers must inform data subjects of this right prior to obtaining their consent, and make it as easy to withdraw consent as to give it. The latter gets particularly interesting when considering that in some contexts, consent may be obtained “through only one mouse-click, swipe or keystroke” and therefore “data subjects must, in practice, be able to withdraw that consent equally as easily” per the WP29.

For these reasons, when your organization considers relying on consent, you must at the same time consider processes for how easy withdrawal of that consent will be enabled. Perhaps this is accomplished using an online preference management tool, web-interface, unsubscribe link or phone call. Regardless, at the end of the day, it is a question of balance — if one mouse-click was all it took to consent, is it appropriate to require a phone call during business hours to withdraw that consent? Probably not. 

Synchronize your records

In a previous post, we discussed “combining and conquering” the GDPR. That is, how the work done to meet various GDPR requirements can be leveraged when addressing others. This same concept applies here — synchronize your consent records with other areas such as your records of processing or data subject requests to assist with compliance. Doing so, for example, will enable you to quickly trace a withdrawal back to a particular processing activity or data subject request that needs to be reviewed.