Under the General Data Protection Regulation (GDPR), consent is one of the six legal bases for the lawful processing of personal data. Article 4 of the GDPR defines consent of the data subject as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
What this basically means is that before an organisation is allowed to process personal data, the data subject must first give their consent and in order for the consent to be valid, the consent has to be:
specific, unambiguous and per purpose
given by a statement or by a clear act, and the data subject must be informed
distinguishable from other matters
in clear and plain language, intelligible and easily accessible
as easy to withdraw as to give consent
Data subjects (i.e. the people) are given more control over their personal data under the GDPR and it demands greater responsibility, transparency and accountability from data controllers and processors in this data-driven age. Thus, organisations that process personal data will have to manage the consent lifecycle from start to finish: from data collection, enabling data subjects to change or withdraw consent, to deleting personal data when the purpose and duration of the data to which the data subject consented are over. Furthermore, if they intend to change the purpose for which the data will be processed, they have to acquire new consent from the data subject.
What’s truly significant about the GDPR, other than the hefty fines, is its global scope, meaning that for organisations outside the EU that process data of EU citizens, the GDPR and rules of consent will apply to them as well.