Welcome to part two of our ongoing General Data Protection Regulation (GDPR) basics blog series. Part one--covering who the GDPR applies to can be found here. Now we’re diving into the what you need to know about GDPR consent. What does it mean to gain and track consent according to the GDPR?
The General Data Protection Regulation is a regulation that is meant to strengthen data protection for individuals within the European Union. The GDPR provisions are identical across EU member states, which simplifies compliance. Many businesses headquartered outside the EU will have to comply with the GDPR as it also addresses the transfer of personal data of EU citizens outside of the EU. More information can be found in our previous blog.
The ultimate goal of the GDPR is to restore control to EU citizens over the use of their personal data. This means you need to be able to prove when and where EU citizens gave you consent to use their data. This blog will help you understand what consent is, what information it applies to, what you have to do to gain consent, and what noncompliance could look like for your company.
Consent under the GDPR is an affirmative permission given by the user to use their personal data in an appropriate capacity.
Under the GDPR, consent has changed. Gone are the days of the sneaky “opt-out” box that confused users about the status of their consent. In May 2018, businesses will have to gain affirmative consent. What is affirmative consent? That means that the user will have to give consent by a “clear affirmative action.” Under the GDPR, consent must be “freely given, specific, informed and unambiguous.”
Consent applies to the personal information of the data subject. This information is outlined in the “Who” blog. Where a user’s personal data is used or processed, that user must give affirmative consent.
Failing to comply with the GDPR could subject your business to substantial fines. The GDPR articles state that the penalties be effective, proportionate and dissuasive. Businesses face fines of 10,000,000 EUR (USD 11,865,500.00) or up to two percent of global annual turnover, while for other violations, those maximums are doubled to 20,000,000 EUR (USD 23,729,200.00) or four percent of global turnover. Violations concerning consent come at a higher price point.
We have created a Privacy and Consent Gap Assessment to help your company see where you fall concerning the GDPR and consent. One of the great reprieves from the GDPR is that businesses may retain consent given prior to May 2018 if it complies with the GDPR consent standard. Let us help you see if you’re falling between the cracks with your consent standards.