Under previous Data Protection law the concept of “consent” was a bit woolly and as such open to abuse.
GDPR represents a major strengthening of “consent” as may be given by a Data Subject. As a Data Controller, you generally need consent from the Data Subject to process their personal data. Before you process it.
Data Subjects must be told in a clear and unambiguous way exactly what they’re being asked to consent to, in terms of your processing of their PII.
This means your website needs to have clear and easy to find information about exactly what you plan to do with personally identifiable information. It is no longer acceptable for permission to be either assumed or implied. It must be informed.
For example your website will need a Privacy page that is accessed directly from your main navigation menu. The Privacy page needs to be in large enough text to be easy to read and in plain English so it is easy to understand. No legal gobbledegook. No use of double negatives to try to confuse people. If it is not easy to understand, Data Subjects cannot be classified as “informed”.
There can’t be conditions attached to Consent. So you can’t offer something, then make it contingent on Consent being given and withdraw it if Consent is not given. Data Subjects must not be bullied, coerced, threatened or tricked into giving Consent.
As part of your “Informing” your Data Subjects about the Consent you need, you need to explain to them exactly what you’re going to do with their PII. Data Subjects have the right to grant Consent for specific purposes only.
So the days of you getting their email address from a competition you ran then using it to send them emails about every promotion you run for the next two years are gone.
In the context of running a competition you can ask for permission (consent) to contact them to tell them whether or not they have won. You would need that as part of the competition entry mechanism. But if you want to send them information about a new product or offer you have to ask for new Consent for that specific purpose.
Each time you get Consent for a specific purpose, you need to record the fact. Consent is as simple as a tick box in the right place. But it needs to be supported by written policy and process records so you can demonstrate your compliance with GDPR.
Consent needs to be a positive action – such as ticking a box. You can’t have the box already ticked and expect people to untick it. That would be a negative action and your Consent would not be valid.
It should be as easy to withdraw Consent as it is to give it.
Again, if you’re using a reputable Autoresponder such as Aweber to send your marketing promotion emails, each message sent will contain an “unsubscribe” link.
But you need to make sure that the method of withdrawing Consent is as easy to use as the method for granting it. For example, the tick boxes used for each purpose on a website page should be the same size and clearly positioned so that the “withdraw consent” option is not diminished in any way.