GDPR For Dummies

Cybersecurity Articles

The Fundamentals of GDPR and Data Protection

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated). The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation. However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators. Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:

• The GDPR needs to fit into the member state’s legal framework.
• National legislation is needed to choose from the exemptions permitted by the GDPR.

At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.

Data protection laws

Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights. This list describes a handful of additional points about these laws to keep in mind. Data protection laws:

• Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed.
• Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).
• Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.
• Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.
• Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.

Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.

The 10 most important obligations of the GDPR

The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:

• Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it.
• Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it.
• Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.
• Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA).
• Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing.
• Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.
• Ensure that your staff are appropriately trained in relevant areas of the GDPR.
• Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary.
• Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate.
• Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.

The consequences of non-compliance

Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.

Increased fines and sanctions

The GDPR has introduced significant increases in the maximum fines for breaches of its requirements. Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher. This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated. This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.

Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR.

Civil claims

Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim. As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller. A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.

Data subject complaints

The general public is much savvier about their data protection rights than they used to be, for these reasons:

• The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.
• Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.
• Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.

This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:

• If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.
• If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.

These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.

Brand damage

When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.

Loss of trust

If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you. In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m). In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.

Be a market leader

By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage. Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:

“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

Cybersecurity Articles

How to Create and Communicate Your Cookie Policy

The function of your cookie policy is to provide clear and comprehensive information to your website users about the cookies you’re using and what type of cookies they are (functional or session, for example).

Assess your cookies

To create your cookie policy, you need to know what cookies you’re using on your website and what their purpose is. A small-business owner may not know the answer, especially if a website developer set up their website.

If you don’t know what cookies are on your website and what they’re for, ask your web developer or use a cookie audit tool, such as cookiechecker. Ghostery is another tool that can help with this — it's a free browser plugin that also categorizes the cookies, such as advertising, analytics and the like. For other options, search the internet using the term “tool to show cookies on websites." Resources such as cookiepedia can also be helpful to find out more about what different types of cookies do.

In order to write your cookie policy, you need to know:

• What types of cookies are being used?
• What the cookie is used for?
• How long does the cookie last? For example, is it a session cookie that only lasts for the browsing session or a persistent cookie that lasts beyond the session; and if so, what is the expiry date?
• Who serves the cookie? Is it a first-party or third-party cookie, and if it is a third-party cookie, who serves it?
• How to refuse the cookie at a later date

In addition, when you have the list of cookies your website uses, assess how intrusive the cookies are — how they follow users about for their online browsing, in other words. First- party cookies, such as shopping cart cookies are less intrusive, for example, than third-party persistent tracking cookies, which monitor your website users’ online behavior on a long-term basis. If you’re using more intrusive cookies, obtaining informed consent for the use of those cookies is all the more important for you. Guidance on the use of cookies from the United Kingdom's Information Commissioner's Office (ICO) is that “you should take particular care to ensure clear and specific consent for more privacy-intrusive cookies, such as those collecting sensitive personal data like health details, or used for behavioral tracking." Digital agencies and website publishers should take particular care when using cookies for Real Time Bidding (RTB). RTB is a system used by ad exchanges to broadcast the personal data (often of a sensitive nature) of the individual browsing the website or using the app to thousands of organizations in order to solicit potential advertisers’ bids to deliver their ads on the website or app. The ICO’s investigations into RTB have found that, in the vast majority of cases, cookies used for RTB do not comply with the ePrivacy Directive and the GDPR. The ICO highlighted the following deficiencies:

• Insufficient information provided to the data subject about the processing
• Data subject consent not obtained for the processing of non-special category data and instead relying on legitimate interests
• Explicit consent from the data subject not obtained for special category data (such as tracking online browsing about religious or health content)
• Failing to carry out a data protection impact assessment (DPIA)
• Sharing with large numbers of third parties the detailed profiles of individuals without their knowledge

The French supervisory authority, CNIL, issued an enforcement notice in October 2018 to a French digital agency called Vectaury that had obtained personal data for hundreds of millions of people from the RTB system. The enforcement notice required Vectaury to cease processing geolocation data for advertising purposes without appropriate lawful grounds for processing. CNIL stated that “it is clear that Vectaury is unable to demonstrate that the data currently collected through real time bid requests are subject to informed, free, specific, and unambiguous consent.” Vectaury was non-compliant in:

• Bundling together a number of separate processing purposes under a single opt in
• Not checking that consent had actually been obtained from the individual and only relying on contractual clauses to this effect
• Using misleading and vague language on the first consent screen
• Using pre-ticked boxes for consent

It is worth noting that Vectaury believed it was following the IAB framework, something that the IAB disputes by pointing out that Vectaury did not follow its policies correctly. However, in practical terms, for the majority of data controllers, the most important assessment is whether the cookie is “strictly necessary” or not. If it is strictly necessary, the cookie is exempt from consent. If the cookie is not strictly necessary, consent from the web user is required.

You can also take this opportunity of auditing the cookies used on your website to tidy up your use of cookies and delete any you don’t really need.

Write your cookie policy

The General Data Protection Regulation (GDPR) requires data controllers to provide certain information to data subjects — via the privacy notice — about how they process personal data. You can provide information about cookies in your Privacy Notice. However, data controllers commonly have a separate cookie policy that specifies which cookies they’re using.

The requirement to provide certain information about the cookies you use on your site comes mainly from the current ePrivacy Directive. To comply with this Directive, you must explain what the cookies are being used for and obtain the user’s consent to store a cookie on the device.

The obligation under the ePrivacy Directive to obtain consent is only in relation to non-essential cookies. However, you should provide information for all cookies used, both essential and non-essential.

Neither the GDPR nor the ePrivacy Directive specifies the information that needs to be contained in the cookie policy. However, you should include, as a minimum, the following information you learned from your cookie assessment:

• What types of cookies are used (such as, advertising or analytics)
• Who sets the cookie
• How a user can refuse the cookie

According to the ePrivacy Directive, the language in your policy must be clear and comprehensive. The ICO says this means the “text should be sufficiently full and intelligible to allow individuals to clearly understand the potential consequences of allowing the cookies should they wish to do so.” In other words, make sure users understand what the cookies do and what that means for them — for example, their browsing and shopping habits will be tracked, and they’ll see ads that reflect the tracking. The ICO guidance also states that you must consider the general levels of understanding that website users hold about cookies. The understanding is still pretty low, so the cookie policy needs to be easy to understand, especially for people who have no technical background. Therefore, listing the types of cookies your website uses isn’t enough; you need to fully explain what each type of cookie is used for and how that affects the user.

When using a banner or pop-up to link to provide the requisite information and to gain consent, consider the user experience. Many users find pop-ups annoying and even confusing, so you may want to use them sparingly, if at all, or as unobtrusively as possible. See the next section for more about ways to communicate your cookie policy to users.

Post your cookie policy

You can choose to have a straightforward cookie policy on a web page on your website with a prominent link to it on each page of your website (through a banner or pop-up on your website, for example) or you can use a more sophisticated tool to show the cookie policy and obtain the necessary consent (see the section below for potential tools). If the link to the cookie policy is in a banner that shows at the top or bottom of the web page, it must be easily viewable and above the fold (the section of the website page users can see without scrolling down). Many websites merely have a link to a cookie policy that is just a plain link in the footer of each page of the website (without a banner or a pop-up). This isn’t likely to be prominent enough to be compliant. In addition to the cookie policy, you need a separate cookie consent statement — either in a separately displayed cookie banner or a cookie pop up — that links back to the cookie notice, with a call to action to provide consent, such as “accept cookies” and “reject cookies” buttons. The ICO guidance on the use of cookies states that:

• Rather than just have a link that states “cookie policy,” you should make it clearer what the link is about by using words such as “Find out more about how our site works and how we put you in control.”
• You must not have boxes that emphasize "agree" or "allow" (or presumably "accept") cookies, as opposed to "block" or "reject" cookies, as this influences website users to consent to the use of cookies. There must be an option of similarly prominent boxes of accept and reject.
• The initial consent mechanism you use when people land on your landing page of your website must allow the user to make a choice about whether to accept the use of cookies or not; merely having a "more information" section where controls are located would not suffice.

The following figure shows an example of how a banner might display a link to a cookie policy. The banner pops out at the left side of the web page and provides a link that users can click to read more about the website’s cookies.

Consent under the GDPR must not be opt-out consent, where you must take some action — click a button or select a check box — in order to block cookies. The GDPR insists on opt-in consent, where the user must take affirmative action in order to allow cookies. As such, cookie policies that state that by continuing to browse the website, the user consents to the use of cookies, will not be compliant.

Cookie walls

Equally, the GDPR prohibits you from making consent a requirement of the service, so in stating that, in order to continue browsing, the website user has to accept cookies (known as a cookie wall), this would also be in breach of the GDPR. The Dutch supervisory authority issued guidance that cookie walls are not compliant with the GDPR. It stated that it had increased monitoring of organizations using cookie walls and was instructing them to make the necessary changes to ensure GDPR compliance. The ICO guidance is a little more permissive when it comes to cookie walls. The ICO refers to Recital 25 of the ePrivacy Directive that states that “access to specific website content may be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.” The ICO’s guidance is, therefore, that cookie walls are not permitted for "general access" to websites but that it is possible to restrict certain content if the user does not consent to the use of cookies. However, the ICO does go on to say that if the use of a cookie wall is “intended to require or influence users to agree to their personal data being used by [the data controller] or any third party as a condition of accessing your service, then it is unlikely that user consent is considered valid.” The ICO also notes, in a blog post published by it on the same day as their guidance on cookie walls, that “we recognize there are some differing opinions as well as practical considerations around the use of partial cookie walls and we will be seeking further submissions and opinions on this point from interested parties.” The Austrian supervisory authority, however, rejected a complaint that consent obtained through a cookie wall of an online newspaper was not freely given. The newspaper had provided a free online version of the newspaper and also a subscription version without advertising. It only allowed users of the free version to have access if they accepted cookies for advertising purposes. The European Data Protection Board is advocating for a complete ban on the use of any cookie walls as part of the amendments to the ePrivacy Directive. So, we may only receive clarity on the matter of cookie walls when the new ePrivacy regulations come into force. To ensure full compliance, you need a tool (discussed in the next section) that shows — before the cookies are fired — the cookies used on your site and allows website users to make granular choices regarding which cookies they’re happy to accept.

Tools to communicate your cookie policy and obtain consent

Some existing tools can enable you to be compliant to lesser or greater degrees. One such tool, Cookiebot, enables you to show the different types of cookies you use on your website and provides the website user with the option to continue to browse the website while using only necessary cookies (for which consent isn’t required). Cookiebot also appears to have the ability to prevent cookies from firing until consent is obtained, though you do have to add certain code to your other plugins. (Check out Cookiebot's website for more information.) The following figure shows the Cookiebot banner, which you can place at the top or bottom of your website. Users can click the Show Details tab to see the additional information shown here. Clicking the About Cookies tab shows more information about the different types of cookies — for example, cookies for statistics or marketing. With Cookiebot, users cannot accept and refuse individual cookies; rather, the choice is simply between Preferences, Statistics, and Marketing. With other, more expensive GDPR solutions, such as One Trust, you can allow your website users to make more granular choices about which cookies they’re happy to consent to. Another affordable Wordpress plugin can be used to prevent cookies firing prior to consent being obtained (without having to add any code). This plugin also enables data subjects to access basic personal data about themselves (and update it) satisfying Recital 63, which states that best practice is for organizations to provide remote access to a secure self-service system where the data subject can have direct access to his or her personal data. In addition, the plugin provides a privacy policy and cookie policy generator that automatically updates on your site for new guidance or amendments to regulations.

Cybersecurity Articles

GDPR: Consent as Lawful Grounds for Processing Personal Data

To process personal data, you need to have lawful grounds for processing, as provided for in the General Data Protection Regulation (GDPR). Consent is likely to be the appropriate ground where you want to offer a real choice to people — for example, whether they want to receive your marketing emails.

Many people think that GDPR is all about consent, but that isn’t true; consent is just one of six potential lawful grounds for processing personal data.

Carefully consider consent as lawful grounds for processing:

• Consent can always be withdrawn, so if you need the data for the stated purposes, it’s always wise to rely on another lawful grounds for processing where possible.

Or in other words, if the data subject withdraws their consent and you would try to continue processing the data under a different lawful ground, consent isn’t the appropriate grounds for processing.

• If the relationship has a power imbalance (such as during employment or during processing by a public authority), proving that consent is freely given (one of the elements of a valid consent) is difficult.
• Consent provides data subjects with stronger rights in relation to their data than other grounds for processing; the right to erasure and the right to data portability, for example.

A valid consent has various elements. Consent must be

• Freely given
• Specific
• Informed
• An unambiguous indication of wishes

Freely given consent

Freely given means that the data subject is free to choose whether to give consent, without any detriment, and has genuine choice and control over what personal data they provide. Incentivizing consent is possible. If you offer money-off/discount vouchers for subscribing to an email marketing list, for example, this would still be valid consent. If, however, the data subject suffers a detriment or is unfairly penalized as a result of not providing consent, the consents that were obtained aren’t valid. An example of a detriment is charging higher prices for a service if the data subject refuses to consent to their data being shared with third parties. If consents are bundled so that a data subject can only consent to all of the processing, this consent isn’t valid because the consent hasn’t been freely given. Perhaps, the data subject wanted to sign up for one type of processing but was forced to sign up for another as well, because the consents were bundled. The consent needs to be granular, as shown in the following figure. You need to offer separate consents for one of these:

• Different types of processing: For example, to be contacted by email, phone, or postal mail
• Different purposes: For example, sending email marketing and sharing details with third parties

Note that the preferences form in the figure requires opt-in consent for SMS (text) updates but opt-out consent for communications by postal mail or telephone. This is because the e-Privacy Directive (as implemented in the United Kingdom as the Privacy and Electronic Communications Regulations, known as PECR) requires consent for text marketing (amongst other electronic marketing) but not for postal or telephone marketing. Therefore, this organization is relying on consent (which must be the opt-in type to be valid under the GDPR) for text marketing and on the legitimate interests grounds for processing to send postal and telephone marketing; this is compliant with the GDPR. If you rely on the legitimate interests grounds for processing, you must provide the ability for data subjects to opt out at any time — and that’s what The Guardian web page is doing.

The e-Privacy Directive (as implemented into European Union member states through their national legislation) requires consent for certain electronic direct marketing communications. If the relevant national legislation (such as the PECR in the UK) requires consent, then the GDPR will also require consent for such processing.

If consent to a processing of personal data is a condition of service and the service provider will not provide the service without the consent to the processing being given, then the consent isn’t freely given. However, if the data is required in order to fulfil the service (for example, passing a customer’s name and address to a delivery company), then the appropriate lawful grounds for processing would be contractual necessity, and consent wouldn’t be required.

It’s difficult for employers to show that consent by employees has been freely given, because of the imbalance of power in the working relationship. As such, employers should look at other grounds of lawful processing for key employee data and rely on consent only for processing of such personal data as responses to surveys, competitions, or similar matters. In addition, consent can always be withdrawn, so if you need to retain certain key employee data, relying on consent as lawful grounds for processing is unwise.

Specific consent

The consent must be given for a specific purpose, such as for sending marketing emails. In accordance with the transparency principle, you must clarify what the personal data is being used for, and you must be as specific as possible. If you’re processing personal data for multiple purposes, you must obtain consent for each purpose. Specificity is often problematic because you may not know what you want to use the data for at a later date after you have collected it. The GDPR provides for processing for compatible purposes. If your lawful grounds for processing is consent, however, then even if the new purpose is compatible, in order to comply with the principles of fairness and lawfulness, you need to obtain fresh consent for the new purpose. One exception to this rule relates to processing for scientific research purposes. The GDPR states that, where it is not possible to fully identify the purpose of data processing for scientific research purposes, data subjects can legally give their consent to certain areas of scientific research consistent with recognized ethical standards for scientific research. The specified purpose must be set out in your privacy notice as well as in any processing records you may be obliged to keep under Article 30 of the GDPR.

You should regularly review your processing in consideration of your stated purpose and, if you notice any “purpose creep,” obtain fresh consent if the new purposes are not compatible with the original purposes. Note that the consent needs to be obtained before the commencement of the processing for the new purpose.

Informed consent

You must provide the data subject with all necessary information about the processing at the point that the person provides consent. The place for this information is in your privacy notice. This must be in a form and in a language that’s easy to understand. Language that’s likely to confuse (such as double negatives and inconsistent terminology) will invalidate consents. Recital 32 of the GDPR makes clear that if a consent is to be given by electronic means, such as ticking a box on an online form, the request for consent must be clear, concise, and not unnecessarily disruptive to the user experience. Suppose that a lengthy and confusing privacy notice pops up and blocks content until the user of the website clicks to make it disappear. Having to click the notice is disruptive to the user experience and falls afoul of this provision.

A better strategy here is to use a layered privacy notice like the one shown in the following figure.

Where possible, you should combine this type of notice with a just-in-time notice — a note on a web page that appears at the point where the data subject inputs personal data, as shown in the following figure. (Note how a just-in-time notice provides a brief message about how the submitted information will be used and a link to the longer privacy policy.) Some level of disruption may be necessary to obtain the consent, but you can minimize it as much as possible. For the data subject to be informed, the person must know at least the identity of the data controller and the purposes of the processing. If you’re sharing the data with any third parties who are relying on that consent, the identities of those third parties must also be named.

You don't need to name all third parties to whom you disclose the data, because many are relying on other lawful grounds for processing to process the data (contractual necessity, for example). If you’re sharing data with a third party for the purposes of them marketing to the data subject, consent is the likely grounds for processing. In this case, the third party should be named in the consent from the original data controller, as it should be in any other cases where the third party will be relying on that consent in order to process the data.

You should ensure that the consent is separate from other terms and conditions so that it isn’t buried in lots of legalese.

Unambiguous indication of wishes

In order for consent to be valid, there must be no doubt about the data subject’s wishes. If there is any uncertainty about whether the data subject has consented, the presumption is that they have not consented. Recital 32 to the GDPR states that a clear, affirmative act may include a written statement, including by electronic means or an oral statement. This might include having the user tick a box when visiting a website, choosing technical settings for online services, or by acting in a way that clearly indicates acceptance of the processing (for example, asking individuals to drop their business cards in a bowl if they want to receive your newsletter). In this context, a clear, affirmative act means that someone has taken deliberate and specific action to consent to the processing. Hence, pre-ticked boxes and opt-out actions aren’t ways of obtaining valid consent, because the data subject hasn’t had to take affirmative action. Therefore, this isn’t an unambiguous indication of the person’s wishes. They simply may not have seen the check box or the opportunity to opt out. Similarly, silence doesn’t constitute an effective consent. For example, if you ask someone by phone to say something specific in order to opt out of the processing of their data, the data subject’s silence isn’t a valid consent, because the person may not even be listening. To actively confirm consent over the telephone or in person, the data subject must speak certain words, such as “Yes, I consent.” Keeping records of this oral consent is vital. An element of implied consent can come with a positive act that makes it clear the data subject is consenting to the processing. For example, if you ask attendees of an event to drop their business cards into a bowl for a chance at winning a prize, that would imply consent for them to be entered into that prize drawing. However, the data can’t be used for marketing to those individuals without their further consent. Consent obtained by way of duress or coercion doesn’t constitute valid consent.

Obtain fresh consent

The GDPR has introduced a higher standard of consent than what existed under the previous regulations. If your existing consents don’t meet the new GDPR standard (you previously relied on pre-ticked boxes to indicate consent or you don’t have satisfactory records of your consents, for example), you must update those consents to meet the higher standard to be valid.

Be wary of attempting to obtain fresh consent to marketing communications by emailing data subjects on your mailing list. To do so would be processing the data without valid lawful grounds for processing. Also, consent is generally required for email and text marketing communications under the e-Privacy Directive.

You can have on your website a sign-up box to obtain fresh consent for email marketing communications (and use various advertising methods to direct people to it), but, obviously, it takes some time to obtain consents in this way, and people who have consented previously may invariably be “lost.”

The e-Privacy Directive and consent

Consent is required for communications covered by the e-Privacy Directive, such as for email and text marketing to individuals. Currently, the e-Privacy Directive (as implemented in EU member states national legislation) applies only to organizations that provide electronic communications services within that member state, but this is soon to be extended to have a similar global reach as the GDPR. Be mindful of these regulations when deciding your lawful grounds for processing. If you need to obtain consent under the e-Privacy Directive, this needs to be to the same standard of consent as the GDPR.

Withdraw consent

If you rely on consent as your lawful grounds for processing, you need to inform data subjects of their right to withdraw consent. The place to do this is in your privacy notice. You also need to offer data subjects easy and free ways to withdraw consent. You may want to consider using a preference management tool to do so, as shown here. You might also include an online form to withdraw consent at the bottom of each page of your website.

The GDPR states that data subjects must be able to withdraw consent at any time. Arguably, merely having an unsubscribe option at the bottom of emails would not suffice, as an email is not available to a data subject at all times; they may have received one and deleted it and, therefore, have no link to unsubscribe when they want to do so.

Keep the following points in mind as you consider how to enable data subjects to withdraw consent:

• Withdrawing consent must be as easy as providing it. If a data subject provided consent by ticking a box on an online form, specifying in your privacy notice that they have to call a telephone number or even write to an email address to withdraw consent isn’t compliant. If, however, consent was obtained over the telephone, it is compliant to provide a telephone number for the data subject to call to withdraw their consent.
• A data subject must not suffer any detriment by withdrawing their consent. If the data subject suffers, the consent is invalid.
• When consent is withdrawn, you must stop processing the data immediately. Where this isn’t possible, it must be stopped as soon as possible.
• If a data subject withdraws consent, you don’t necessarily need to delete all of their data. For example, if a data subject opts out of email marketing (effectively withdrawing consent to you for processing their data to send email marketing), you can properly keep this data on a suppression list (so that you have a record of the data subject’s opting out).

Similarly, if you need to retain data for legal or auditing purposes, you can do so, but at the point of obtaining the consent you must be upfront with the data subject about your intentions to continue to process the data for certain purposes. The place to do this is, of course, in your privacy notice.

• A third party can withdraw consent on behalf of a data subject. You must, however, satisfy yourself that the third party has the authority to do so. This may cause difficulties where data subjects use automated software tools for unsubscribing.
• No set time limit dictates how long consents are valid. However, you need to monitor consents and refresh them where necessary depending on the context, including data subjects’ expectations and how often you email them. For example, if you haven’t emailed people for a long time, you may need to obtain fresh consents. If in doubt, the UK’s supervisory authority, the ICO, recommends refreshing consents every two years. You should also consider contacting data subjects regularly (every six months, for example), to remind them of their right to withdraw consent.

Document consent

You must be able to prove that consent has been provided and you must keep records of consents. If complaints are lodged or investigations begin down the line, you’ll need to produce this evidence. You should keep records of the following consent-related information:

• Who consented, such as name or another online identifier (username, for example)
• The date on which the consent was given
• Details that were provided at the time about the processing and the purposes
• How someone consented (for example, in writing or by submitting data into an online sign-up form for newsletter subscription)
• Whether the person has withdrawn consent and, if so, on what date

You can accomplish documenting the details of the processing and the purposes that were provided at the time of the processing by referring to your privacy notice that was in force at the time. Keep notes of how privacy notices are amended over time so that you know which version was shown to each data subject. This can be as low tech as keeping a hard copy file of privacy notices and writing the dates on the top from when and to they were effective.

Children’s consent for online services

If a child is signing up to use online services (other than preventive or counseling services), such as online games or education platforms, and the lawful grounds you rely on to process their data is consent, then consent must be obtained from a parent or guardian if the child is under a certain age. This list includes matters that you need to consider when obtaining consent for children’s use of online services:

• The relevant age of consent for children differs from country to country. In the UK, it’s 13. The map shown in the following figure shows the relevant age for other countries.
• You might need to take age verification measures: For example, if you choose to rely on the child’s consent because they state that they’re older than the relevant age, you need to verify their age.

For example, if you choose to rely on the child’s consent because they state that they are older than the age required for parental consent, you may need to take additional measures to verify their age — don’t just take their word for it.

• You might need to confirm a parent’s responsibility: If a parent’s consent is provided, you need to make reasonable efforts to verify the parent’s responsibility for the child.
• Parental consent doesn’t automatically expire when the child reaches the age of consent: You may need to refresh this consent more regularly.

Third-party consent

A third party may be able to provide consent on behalf of another person, but you need to ensure that they’re duly authorized to do so. If a third party is providing consent, the data subject still needs to be fully informed about the processing and the purposes by way of a privacy notice. In practice, a third party providing consent for the processing of personal data of adults is likely only in circumstances where the third party has power of attorney for the data subject and can act on their behalf. You can assume that adults have the capacity to consent, unless you have any reason to believe otherwise.