GDPR: Keeping current with consent
Guest blog by Sara I. James, IA Cert | 16 April 2018
25 May is looming – and many organisations are still grappling with how to comply with GDPR requirements. As internal auditors, you will already be providing consultancy or assurance engagements on your organisation’s readiness.
The potential consequences of non-compliance are greater than ever before, which has concentrated minds wonderfully. When it comes to providing acceptable evidence of the right to process data, consent forms may seem the safest – and easiest – way to do so.
But is this the case? Consent was already a hot topic in August 2017, and the Information Commissioner, Elizabeth Denham, emphasised then that consent is not the only route to compliance. As she put it, ‘Consent is not a silver bullet’!
So, what are the routes to compliance? How can your organisation comply with GDPR through consent or other means? And if your organisation does need to create or update consent forms, what are the guiding principles to follow?
First, consent forms may seem tempting. Organisations could very well view a one-size-fits-all approach, sending a consent form to all individuals whose data they hold or process. However, the numbers and categories of people could be vast: employees, clients, partners, suppliers, contractors – all of whose data may differ.
Consent forms must be simple, clear and easy to follow. A single form to cover different groups of people, types and amounts of data, and possible uses, would be lengthy, complex and possibly very confusing.
Taking a ‘tick-box’ approach is unlikely to help matters. A form with multiple opt-in boxes that aims to cover all people and all situations will not be user-friendly. Even if you create multiple consent forms, targeting different groups of people and their data, beware the ‘efficient’ pre-ticked opt-in approach – this does not meet the standard for consent.
Creating a valid, meaningful consent form is therefore harder than it appears: one size will not fit all. A further difficulty is that writing a document in plain language – short words, short sentences, and clear meanings – takes far more time than the usual corporate waffle.
But should a consent form even be the first thing your organisation reaches for? Should the first exercise be to make clear on which lawful basis the organisation is holding or processing data? This could be:
- legal obligation;
- vital interests;
- public task;
- legitimate interests;
- special category data; or
- criminal offence data.
Keep in mind, too, that if your organisation has fewer than 250 employees, your regulatory obligations are fewer. In this case, according to the ICO, ‘you only need to document processing activities that:
- are not occasional; or
- could result in a risk to the rights and freedoms of individuals; or
- involve the processing of special categories of data or criminal conviction and offence data.’
Saying all that, internal audit can and should already be involved in data protection assessments. It can look at how organisations shape up and help them prepare for GDPR through assurance or advisory work.
Information Commissioner's Office:
- Fuller guidance and examples on consent
- Guide to the GDPR is a ‘living document’, so do check this link regularly to keep abreast of updates