Managing the right to withdraw consent is a key requirement of the EU General Data Protection Regulation (GDPR), and, if it hasn’t done so already, your organisation should be preparing by creating a withdrawal of consent procedure before 25 May 2018.
What does the GDPR say about consent?
Under the GDPR, there are stricter rules for obtaining consent:
- Consent must be freely given, specific, informed and unambiguous.
- A request for consent must be intelligible and in clear, plain language.
- Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
- Consent can be withdrawn at any time.
- Consent for online services from a child under 13 is only valid with parental authorisation.
- Organisations must be able to evidence consent.
Article 7(3) specifically says, “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
Managing withdrawal of consent under the GDPR
To manage this process efficiently, organisations must create a procedure that addresses the data subject’s right to withdraw consent for the processing of their data.
Below is an example of what a withdrawal consent procedure might look like – available from the market-leading EU GDPR Documentation Toolkit – which sets out the scope of the procedure, responsibilities and the steps that will be taken to cease processing the data subject’s data.
The EU GDPR Documentation Toolkit is designed and developed by expert GDPR practitioners, and has been used by thousands of organisations worldwide. It includes:
- A complete set of easy-to-use and customisable documentation templates, which will save you time and money and ensure GDPR compliance;
- Helpful dashboards and project tools to ensure complete GDPR coverage;
- Direction and guidance from expert GDPR practitioners; and
- Two licences for the GDPR Staff Awareness E-learning Course.