Under GDPR, consent for any data processing must be specific, granular, and auditable. The consent needs to be simple to understand and easy to withdraw.
The new requirements for consent could force some organisations to approach current data subjects again to request new permission to use their data. Review your current consent processes and establish when consent is needed and how it should be provided to ensure your obligations are being fulfilled.
“GDPR is focusing on the record-keeping around consent and the audit trail you need to have,” says head of international strategy and intelligence at the ICO Steve Wood.
“Consent has got to be easy to withdraw, and you’re going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with.”
Keep clear records of all consent taken, establish straightforward withdrawal mechanisms and regularly review procedures to keep up with any changes to processing activities.