In this extract from a new and informative guide ‘Preparing Your Practice For GDPR’ brought to you by MyFirmsApp, the the worldwide number one provider of intelligent Apps to professional firms in 11 countries, we look at what the law requires in regards to giving consent for GDPR compliance.

Consent

What the law requires

• Consent must be freely given, specific, granular, informed and unambiguous indication of wishes
• Clear affirmative action which is essentially a positive opt in and consent cannot be inferred from silence or pre-ticked boxes
• Consent must be verifiable e.g. time stamped records in a CRM database
• Consent wording and mechanisms must be separate and prominent from other T & Cs
• Simple ways to withdraw consent at any time

Next steps

While GDPR does not specifically require to automatically refresh all consents under current law, review how the practice seeks, records and manages consent particularly for direct marketing.

For certain marketing, which does require consent, consents may need to be refreshed if not GDPR compliant and ensure any re-permissioning is approached carefully.

Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory where data processing is likely to result in high risk to individuals such as in deploying new technology, sensitive profiling activities and in the large-scale processing of sensitive data and they must be recorded and documented in a specific way.

The ICO must be consulted if DPIA indicates data processing is high risk and the risks are not sufficiently mitigated.