Nixon Digital

The responsibility of GDPR’s explicit consent

The General Data Protection Regulation (GDPR), a data privacy law that came into effect in 2018, has established four main principles that organizations must follow when processing personal data: transparency, consent, security, and rights.

Transparency requires that organizations be open about how they use personal information and provide consumers with access to their data upon request. Consent mandates that organizations obtain explicit consent from individuals before processing their personal data. Security requires that organizations take appropriate measures to protect the data they collect and process. Finally, rights give individuals control over their personal data, including the right to access, rectify, and erase their information.

This blog will specifically focus on the second principle of consent, and more specifically, the concept of explicit consent. Explicit consent requires individuals to actively and clearly agree to the processing of their personal data, and organizations must provide detailed information about the processing activities and the rights of the data subjects. In this blog, we will explore what explicit consent means, what organizations need to consider when obtaining it, and how to ensure compliance with GDPR.

What does explicit consent mean? ​

GDPR has applied rules to make consent requests more tight. Before GDPR, companies could use implicit consent to enrol customers up to multiple newsletters and emailing campaigns. Implicit consent is given by an action and not by agreeing to certain terms. Such an action could be clicking further into the website.  

However, this is not the case since the introduction of explicit consent. It can be broken down into three components.  

  1. Explain to the consumer what data you are capturing,  
  2. Explain why you are capturing that data,  
  3. And who is requesting that data and who has access to it.
      

If all three components are treated appropriately, the website visitor understands exactly what data you want and what you want to do with it. Since the website visitor now understands what you want to do with the data, he, or she, can now make the decision to give you consent or not.  

However, when a website visitor agrees to let you use their data, they are only agreeing to what you have specifically told them you will be using it for. Therefore, if you want to use their data for something different you have to ask their permission, again.  

Three more components? ​

Yes, we already discussed three components about explicit consent but there are three more considerations you must keep in mind.  

  1. You should only hold the data for as long as you need. The customer might not have given consent to keep their data after the project has finished.  
  2. A higher level of consent is necessary to keep sensitive personal data.  
  3. The age of consent differs per country. If your customer is below the age of consent, parental authorization is required. 

You might feel a bit overwhelmed by all this. You may even worry that it could hinder the ability to attract new businesses. However, it is important to note that the site visitors who do give you their consent, are much more likely to be engaged in your brand.  

Technical implementation ​

Now that it is clear what explicit consent is and how it can be introduced, the next step is to consider technical implementation. Automation software can be used to track down each website under your domain and check whether they have the right Cookie Management Platform (CMP). It must however be noted that this software does not yet provide you with compliance. It is a mere scanner of your website portfolio.  

You also need to consider where explicit consent might be required. This can be rather broad including Google Analytics, marketing software, and newsletter subscriptions. Every one of these have to be considered separately to make sure that your consent form is communicated clearly.  

Besides having your CMP in order, you must also grant individuals access to their personal data when requested. This might be done because the individual wants to see, change or withdraw their consent. This has a direct impact on the software you are using. For example, a supporting process has to be in place to follow through from the request for access to the individual actually accessing their data.  

The Nixon Platform​

At Nixon Digital we take explicit consent serious and check whether it is correctly implemented. Our unique platform is designed to give you a comprehensive view of your website portfolio, including which websites have a CMP. Furthermore, our platform goes the extra mile by showing which websites have the necessary certificates and when they are due to expire. If you are curious about how our platform can help you, you can apply for a free website portfolio scan. This will give you a glimpse of how easy it is to use our platform and what it can add to your business.