Getting consent: 7 steps to asking the right questions

The ultimate guide to GDPR  consent management for small businesses

In last week�s first Transformer article, we set out how small businesses can comply with GDPR through seven steps. This week, we will talk about the elements of consent management.

One of the most important rules of GDPR is that your business needs to have a lawful basis for processing personal data. Having a legal basis is meant to protect individuals from anything like annoyance (like those nasty spam emails that fill up our inbox) to something that constitutes a more serious breach of privacy law and poses an actual threat to our rights and freedoms. Today, we're going to talk about one of those legal bases for processing, i.e. consent. 

In today's article, we will guide you through the seven elements of consent management (which is not limited to cookies and consent management platforms, although we do like them) to enable your small business to navigate the dark, murky waters of the GDPR, national telecommunications laws (and very soon, the EU�s new e-privacy directive). We�ll try to keep the legal lingo to a minimum, we promise. Let's go!

1. What are the lawful bases for processing data and why do I need one?

Let's start with the second question here: Why do you need a lawful basis for processing personal data? Well, you have to understand that the GDPR wants one thing above all else: To protect individuals' privacy. That's a noble objective that we can get on board with, right? In order to protect individuals' privacy, the GDPR wants businesses to think twice before they ask for someone's personal data and to have a good reason for keeping (or, "processing") it. 

In last week's article "7 ways to comply with GDPR for small businesses", we saw that consent is not the only legal basis for processing your business can rely on. In fact, any one of six legal bases can be used and it's up to you to decide which legal basis applies to your specific situation and processing activity. 

The lawful bases for processing personal data under the GDPR are:

1. Consent
2. Performance of a contract
3. Legal obligation
4. Vital interests of data subjects or other individual
5. Public Interest
6. Legitimate interests of the controller

For most (small) businesses, your lawful basis for processing personal data under the GDPR will be either consent, performance of a contract or legitimate interest. It's important to know that your legal basis for processing can differ depending on which piece of personal data you process as a business and how you do so. For example, your lawful basis for processing personal data through your website (through cookies) might be consent, but your lawful basis for processing personal data by providing a service might be performance of a contract. Still with us? Good. Let's zoom in on consent.

2. Elements of Consent

Before we discuss consent, we must first understand the key elements of consent. Any consent given by a data subject must be:

• Free
• Informed
• Specific
• Explicit 
• Timely
• Able to be easily withdrawn
• Demonstrable 

Consent must be freely given; there must not be any condition or risk attached to the request for consent and data subjects must not be cornered into giving consent. In other words: data subjects need to be able to say no. 

"In order to be free, we must be informed", as we're sure that some philosopher has once said. They were probably anticipating contemporary privacy laws. Consent must be informed: Consent can only be given after receiving all relevant information about the processing. 

Consent must also be specific… "The request for consent shall be presented in a manner which is clearly distinguishable from the other matters." It's important to remember that you should phrase your request for consent so that the individual can know exactly what they're consenting to. That way, you don't have to get into discussions about what you said, what you meant to say, what they thought you said and what they think about what you thought that they said. Or something like that.

…and explicit (or unambiguous), that is, there should be no question about whether the data subject has consented. "Silence, pre-ticked boxes or inactivity should not constitute consent". 

Consent must be given before any processing activities commence. The GDPR agrees with our parents: Ask for permission and don't ask for forgiveness after the fact.

Consent must be easily withdrawn. Have you ever tried to unsubscribe from Amazon Prime? No? Try it. It's virtually impossible. Don't be like Amazon, and make it as easy for data subjects to withdraw consent as it was for you to obtain consent. 

And finally, you must be able to demonstrate that you've obtained consent and that this consent fulfils all of these requirements. This is done through a process that we call consent management.

3. What is consent management? 

Consent management is the process of requesting, obtaining, storing and withdrawing consent in order to be legally compliant.

Website consent management

For many small businesses, their website is one of the main areas of non-compliance with the law. When it comes to consent management on your website, there are different laws and regulations to take into account: The GDPR, local telecommunications laws and the e-privacy Directive, which will soon be replaced by the e-Privacy regulation.

On your website, you process the website user's personal information through the use of cookies. Cookies are text files with small pieces of data that are used to identify your computer and track your activity on a website. These text files let you use a website without having to log in twice, for instance, and remember your preferences for the use of a website to make your experience more personalised and pleasant. In many ways, cookies make the internet work like we expect it to.

Marketing, tracking and so-called third-party cookies are used to remember what you do on certain websites, so that shops or other businesses can target you with ads (and that's why you're seeing all those shoe adverts, Karen). For these types of cookies, which aren't essential to the normal operation of the website, businesses must ask for permission. This consent must fulfil the requirements set out above, in that the consent must be given in advance, freely, informed, specific, unambiguous and must be easily withdrawn. You must be able to show that the consent fulfils these requirements, which we sometimes call consent management.

A lot of websites have the possibility to include a cookie banner or pop-up, where you ask for your website user's consent for the use of cookies, but often these do not comply with cookie regulation as they either contain pre-ticked boxes, are not specific or simply state that by using the website, you consent to the use of cookies. And that is definitely not allowed, as your website users need to be free to say no. 

Using a consent management platform or cookie consent manager such as Usercentrics is a great way to comply with local telecommunication laws, the GDPR and the e-privacy directive. 

What is a consent management platform? 

A consent management platform or CMP is a piece of technology that can be used on websites to obtain the legal consent from users to process their personal data via your website. It allows you to easily inform your data subjects about this specific processing activity, obtain their consent and an opt-in for further communications. You can show the world that you take legal compliance seriously, which not only benefits your reputation, but might save you a headache and a hefty GDPR fine. Who said balancing compliance and marketing had to be hard?

4. General consent management

Your website is not the only place where you need to manage consent– if you rely on consent as the legal basis for processing personal data. Remember that you can also rely on one of the five other lawful bases for processing personal data under the GDPR. 

If you carry out other activities, like emailing, or if you provide a service or sell a product, you will also need to process personal data: Names, email addresses, perhaps a credit card number. Make sure that you record details of the consent, for instance in an Excel document or a GDPR consent form, if you rely on this legal basis to show that the consent in question fulfils all the legal requirements. Tools for emailing like HubSpot or MailChimp have their own GDPR consent forms that you can use for GDPR compliant emailing. And no matter what you do, you should inform your data subjects through a privacy policy that will guide them in their decision whether or not to give consent. Remember, in order to be free, we have to be informed - Right. Moving on.

5. Who gives consent?

In most cases, once you've decided to rely on consent as the legal basis for your processing activity, you will have to obtain permission from the data subjects themselves, for instance your website users. But in some cases, for instance when you process children's personal data, you will need to rely on consent given by someone other than the data subject, namely a parent or legal guardian. 

You need consent from parents or legal guardians for processing data from children below the age of 16 under the EU GDPR and in the UK, consent from an adult is necessary for children under the age of 13. 

6. When consent isn't enough

Some types of personal data may not be processed by a business, unless there is a good reason to process this data, even if the data subject has consented. This is the case for special categories of personal data, which is defined by the GDPR as:

"Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation."

These categories of personal data may only be collected or otherwise processed if your business has a legitimate purpose. Because this type of personal data has an inherent risk for the data subject, you must ensure that you keep records of your legitimate purpose, the consent and the security measures you take to secure this data. Determining your legitimate purpose and keeping records are part of your consent management. One thing to remember is: If you don't need it, don't process it, especially when it comes to special categories of personal data.

7. GDPR Compliance for email marketing

Though we could write an entire book about consent when it comes to email marketing, we wanted to let you in on a few trade secrets right here and now. 

Does the GDPR mean that I can never again send (cold) marketing emails?

No, luckily, that is not the case. The biggest consideration when it comes to legal compliance for email marketing is your lawful basis for processing personal data in relation to whether the recipient is a new or prospective commercial relation or an existing one. It is also important to make the distinction between businesses and individuals, where sole traders are seen as individuals. 

If the recipient of your email marketing campaign is a business, you can rely on two lawful bases for processing: Consent and legitimate interest. Is the recipient an individual (including a sole trader), then you can only rely on consent.

Consent

If you rely on consent, the consent must fulfil all the GDPR requirements for consent we set out above. You can rely on consent for new commercial relations and existing ones.

Legitimate interest

The GDPR specifically mentions that "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest". This is the case if you are emailing businesses (and not sole traders or individuals!), whether they are a new relation or an existing one. If you rely on legitimate interest, you have to carry out a "balancing test", where you must:

• identify a legitimate interest;
• show that the processing is necessary to achieve it; and
• balance it against the individual�s interests, rights and freedoms.

Soft opt-in

There are also situations in which you can rely on a so-called "soft opt-in". A soft opt-in is essentially a combination of consent and legitimate interests, where email recipients have not actively consented in advance, but are given the option to opt-out if they do not wish to receive further email communications from you. You can rely on a soft opt-in for businesses and individuals, but only if they are existing customers.

In order to rely on a soft opt-in for marketing purposes, you need to fulfil three requirements:

1. email addresses must have been obtained "in the context of the sale or purchase of a product or a service"
2. you may only use them "for direct marketing of its own similar products or services"
3. end-users "are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use"
4. You must also carry out the balancing test that we saw under legitimate interest for the soft opt-in, where you must balance your legitimate interests against the individual�s interests, rights and freedoms.

And that's a wrap: The 7 elements of GDPR consent management for small businesses

Whether you're a lawyer, an accountant, a marketeer, a consultant or even a farmer, the GDPR requirements stay the same. We will be there for you in the form of this guide for all of your GDPR questions. Sign up to our newsletter if you want us to send the next instalments of our Transformer series straight to your mailbox and look out on social media for next week's article, where we zoom in on GDPR after Brexit. Have a great week!