To prepare for the upcoming GDPR we’re doing a series of blogs about key regulations and ways to be compliant with them. In Part 1 we discussed the Right to Be Forgotten, in Part 2 we spoke about Privacy by Design and by Default and in Part 3 we understood why Designating Data a Protection Officer (DPO) may be the new norm.
In this blog, we analyze the all-important aspect of the customer. What changes will GDPR have on customer communication and experience?
The Article Explained
The GDPR puts “customer consent” at the heart of a number of its articles.
- Article 7 of the GDPR, Conditions for consent, states that
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- Article 9 of the GDPR, Processing of special categories of personal data, specifically calls out that processing of personal data revealing racial or ethnic origin, political opinions, religious sexual orientation, philosophical beliefs, or health data is prohibited unless “explicit consent” is given by the customer.
- Article 12, 13 and 14 further expand that “Transparent information” needs to be provided to the data subject a.k.a. customer about information collected. Contact details of the controller, Data Protection Officer (DPO) and reasons why the information is collected needs to be clearly communicated.
- Recital 171 of the GDPR further says that pre-GDPR consent will only hold true if the manner in which the consent has been given is in line with the conditions of this Regulation.
How do I Achieve Compliance?
The GDPR is clear that the any customer data has to be collected and processed with the explicit knowledge of the customer.
Some pointers to check:
- Regarding the way Customer Consent is collected:
- It should be given by a clear affirmative action with an active opt-in (no pre-ticked checkboxes).
- The request for consent should be written using language that is clear and understandable.
- The request for consent should be unbundled and granular for each purpose.
- It should be easy for the customer to withdraw consent.
- Explicitly name your organization and any third-party vendors who will be using the data.
- There must be a way to issue a report about who has given consent if asked by a Data Protection Authority.
What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below.
Listen to my discussion on GDPR on The Hot Aisle #73 podcast here where I talk about these issues and more.
Stay tuned for my next blog on Data Security and Privacy Policies.
*** This is a Security Bloggers Network syndicated blog from Spanning authored by Brian Rutledge. Read the original post at: https://spanning.com/blog/countdown-to-gdpr-4-impact-on-customer-communication-and-experience/