Where is Privacy Consent Required Under the GDPR?

Where is privacy consent required under the GDPR?

Welcome to part three of our GDPR Basics blog series. We previously covered who must comply with the GDPR, and what you need to know about acquiring and tracking consent, and now we’re diving into the “where.” Oh where, oh where have the simpler times gone! The days where the internet was a party trick and privacy was something you gained when you’d close your blinds. While I can’t answer those questions I can answer a few other “where” related questions.

Where do we see the most GDPR changes happening?

Consent! Many organizations have consent measures in place, but they may be missing the mark under the GDPR. Consent is amplified and made a priority under the GDPR.

Consent MUST be:

Consent CANNOT be:

  • Freely given
  • Specific
  • Displayed clearly
  • Comprehendible
  • Demonstrable (where consent is a condition)
  • Withdrawable
  • Trackable
  • Inferred by silence
  • "Tick box to opt-out (pre-ticked for opt-in)
  • Mandatorily permanent
  • Coerced
  • Overbroad
  • Disguised in tedious documentation
  • Vague

Where is consent necessary?

Consent is necessary where the controller is processing personal information. Under the GDPR in order to lawfully process personal data information you must have the consent of the data subject. If you are processing this data without consent, which is in alignment with the above chart, then your processing is illegal. This illegal processing can come with heavy fines - up to 4% of your company's annual global turnover. GDPR compliance is mandatory across all industries.

When in doubt remember, the nature of your business does not negate the consent mandate.


Where can you go for help?

We've created a Privacy Consent Gap Assessment to determine your current level of GDPR compliance. After the assessment you'll know what changes you should make before the May 2018 deadline, and where you are already compliant. The sooner you become compliant the better as consent that was previously given in compliance with the GDPR does not have to be re-obtained.

New Call-to-action

Don’t miss out!

Want the latest news, tips and best practices for high-velocity acceptance? Subscribe to our newsletter.