Why do companies find it so hard to get their heads around even the basics of GDPR compliance? I’m not even thinking here of techie stuff like not getting hacked, and not losing a laptop full of unencrypted customer data.
By comparison, informed consent is simple. I mean, it’s not exactly rocket science, is it? Just like in real life, if someone freely and soberly says Yes, you’re OK. If they don’t, you’re not.
There’s even clear explanations of what the various Articles of the GDPR mean and how to interpret them. They’re called Recitals and they’re quite widely available online. For example, the UK Information Commissioner’s website offers a simple document with the Articles and their Recitals grouped together. Third-party websites such as GDPR-info.eu and Privacy-Regulation.eu provide the texts reformatted and linked, so you can easily click from one bit to the other.
All you need to do is jump from Article 7 “Conditions for consent” to its associated Recital 32, and there it is:
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement… This could include ticking a box when visiting an internet website… Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Affirmative and informed
So why am I still finding companies – both UK and EU27 – that think it’s acceptable to require website visitors or customers to “Please tick here if you do not wish to receive marketing information”? Which bit of ‘affirmative’ do they not understand?
One of them even prefaced its “If you do not wish” consent-grab with “Personal data supplied is subject to the Regulation (EU) 20126/679.” Yes, you guessed it – that’s the GDPR’s formal title.
Look, as I said above and as I’ve written several times before, this stuff doesn’t have to be hard. If you get the organisational mindset right, GDPR compliance can even help improve your data security and information governance.
Heck, if you do your research, you might even discover that by concentrating on consent you risk shooting yourself in the metaphorical foot.
PS. None of this will go away after Brexit. In fact, it will most likely get worse, because the European Commission can examine a non-member’s data protection laws and declare them inadequate if they don’t match up to the GDPR. Inadequacy means no more cross-border transfers of personal data without further safeguards.