One of the major points of debate in ensuring GDPR compliance is gaining consent. The regulations require that any organisation wishing to collect and process (i.e. use) a person’s information must have sound legal grounds to do so.
In many cases, these legal grounds will simply be that the individual has requested a service, and certain elements of information are essential to this. But when this isn’t the case, such as when it comes to marketing, consent must be acquired.
Lots of businesses had to alter their contact forms and similar pages on their websites when GDPR came into effect, and if you’re setting up a new business you now have a lot to consider when creating a data consent form. Where it used to be the case that a business could simply collect information from a form and use it however they wished, this is no longer the case.
In this article, we’re going to go through a few of the main points to bear in mind when you’re thinking about writing data consent questions on contact forms, quote forms, or any other kind of page that collects information about an individual.
A GDPR consent form is required when a business asks for personal data in connection to a non-essential service, such as adding someone to an email list. In these instances, the person sharing their personal data needs to give consent to it being used by the organisation in compliance with GDPR.
Many people fill in data consent forms all the time without properly reading them, as often all that is required is ticking boxes and clicking ‘accept’. Regardless of the level of engagement your GDPR disclaimer and form might get, you still need to take the time to create a compliant consent form in line with GDPR consent requirements so that users understand how their data will be stored and used and what their rights are in relation to this.
GDPR consent forms are needed when personal data is required for non-essential services, such as marketing content, contact forms or things like website cookies. If you're reviewing your GDPR statement for forms or setting up a new website that requires a data consent form, then there are several important things to keep in mind to ensure you’re compliant.
Official GDPR consent requirements state that “Consent must be freely given, specific, informed and unambiguous”. This means that your consent forms must meet these requirements by being specific, informative and direct, which we’ll discuss in more detail below.
GDPR is very clear in wanting individuals to have control over their data, which means that you need to reflect this where possible in your GDPR disclaimer. If there are several different things that you want consent for, then split them down where practical. Bundling options together could well fall foul of regulation, so don’t do this.
There does need to be some consideration for ease of use in a GDPR consent form, as using too many questions could be off-putting and confusing, so use common sense. In general, it’s best to split things out into consent for your general terms and conditions for carrying out the requested service, and then consent for any additional types of processing that you want to carry out, such as marketing.
You may also have different ways to contact the individual as part of your form, such as through email, text or phone. It’s good practice to allow the individual to choose from these options as part of their GDPR consent requirements. If you’re in doubt, then ask the question. This is the safest position to take.
You must be sure that the user has read and understood your GDPR statement for forms and decided whether or not to agree. The regulations are clearer than they used to be and implied opt-in is now on very shaky grounds.
Avoid using automatically checked boxes - you need definitive proof going forward that the user actively opted into whatever data processing you’ve requested. Make sure that all boxes are unchecked and that the user needs to have read the question in order to have given consent.
Getting consent isn’t purely about staying on the right side of GDPR. It’s also your opportunity to sell the benefits of collecting data.
Explain why you’d like consent under GDPR to send marketing emails or other reasons for processing information. Will you be sending out exclusive offers or discount codes? What does the user get out of this? Will you be able to provide a better service with certain bits of information?
You don’t want to go overboard in explaining the benefits of giving GDPR explicit consent, but it really does help to give users a reason to check that box. It’s also worth noting that you need to ensure that the user doesn't feel like they are obliged to give consent to get a good service.
Our final point about writing a GDPR consent form is an important one. As with a great many types of writing, the most effective approach to take is to speak as plainly as possible. This will help your customers, or potential customers, understand exactly what you’re offering and why it might be of benefit to them.
In addition, GDPR guidelines insist that questions are easy to understand and that there’s no ambiguity. This also goes for any terms and conditions or privacy policies that your questions might link out to. You can have a very robust set of policies without the need for overly complex legal language that your users are unlikely to understand.
In the UK, GDPR-compliant consent is defined as consent which is given with clear affirmative action, such as an opt-in. A user, also known as the data subject, must actively give their consent for their data to be used, instead of the consent being given passively by not opting out.
Under GDPR consent requirements, GDPR consent must be given after the subject has been given unambiguous information about what they are consenting to. Distinct and different processing operations need to be consented to distinctly and the option to withdraw consent should be very easy to access. Control over consent is also ongoing, so this option to withdraw needs to be accessible at any time.
The age at which a child is legally able to give consent for the processing of their personal data under GDPR in the UK is sixteen. For children under the age of sixteen, consent for their personal data to be used can only be given by their parent or legal guardian.
In the official guidance, consent under GDPR is defined as “freely given, specific, informed and unambiguous”. This means that consent is given voluntarily, with affirmative action, and is given in response to understanding who the data controller is, what type of data is being processed, how it will be used and the purpose of the processing operations.
There is not a specific time limit for UK GDPR consent. This is because the context in which the consent was given is likely to change over time in a variety of ways, so the specific context of GDPR consent influences when circumstances will have changed enough that consent needs to be given again.
It’s been quite a few years since GDPR impacted the way that organisations deal with personal data, but the GDPR consent requirements are still something that new and existing companies have to deal with and ensure compliance with today. Writing and updating your GDPR consent form is an essential part of keeping in line with data protection laws, and this article has laid out the main requirements for ensuring consent compliance.
If you’re looking for more information about the GDPR regulations and what you are required to do to comply, online training courses are one of the best ways to expand your knowledge. Our online course ‘The Essentials of Data Protection (GDPR)’ is a great introduction to the topic and what you need to do in your organisation.