MonkeyByte 2: GDPR and Your Consent

MonkeyByte 2: GDPR and Your Consent
High Monkey profile picture

By High Monkey, Our random thoughts collected

Categories: Learn

Join Virgil Carroll, in the second 'MonkeyByte' episode of the series, as he talks more about GDPR and more specifically containing consent. It is important when using user’s information that you've collected that you receive specific consent for the types of activities in which you plan to use their information. Whether that be newsletters, email campaigns and or any other type of activities.

Transcript:

Virgil: [00:00:01] Hi and welcome to another Monkey Byte. This is Virgil Carroll your host and principal human solutions architect at High Monkey. For anybody that doesn't remember what a monkey byte is a monkey byte is where I take about five minutes and talk about and expand a deep dive on a topic that was maybe covered somewhere previously. So today I thought I would talk a little bit more about GDPR and in specifics I thought I would talk about consents. And what is a consent a consent is really when you're giving your consent. So probably the most practical example you can think of is I have a contact form on my website and as part of that contact form I give some type of consent that says it's okay for somebody to reach out to me. So typically the way this is done is just by somebody hitting the submit button to be able to compliant with GDPR, and actually just probably to do this better. You need to start taking some additional steps. And so part of that additional steps is really looking at how you actually implicitly obtain consent. So when you look at consent and GDPR there's really four areas that you have to meet. The first is your consent must be freely given otherwise that if I was filling out a form to download some trial software. It's something that I'm only getting it for that trial software and I also have the ability to say I consent to use this for marketing activities or something along those lines and that it's being used really only for the purpose. But if it's going to be used for another purpose that that's clearly spelled out so that I can freely give it and that people are not actually like the checkbox not already preassigned. The other thing is it must be very specific. And so what this really means is a lot of times consents are very broad and it says you know something along the lines I give the consent for you to do anything you want with my information. And what we have to do today now is we really have to look at that a little differently and we have to look at that from the perspective of actually breaking it down. So if you were going to with a contact form if you were going to use it just for a contact and then you wanted people to use it for other marketing activities. You can't only say other marketing activities you may need to be specific like her e-mail newsletter, part of our sales campaigns, to send you special offers. You need to be very specific as a matter of fact there's many that argue really to be GDPR compliant. You need to actually take that and actually have a different checkbox for each of those so that they can granularly actually select which consent they want to give you to that. The third area is that you must be informed otherwise the consent is asked for and then you misuse it. So again this kind of goes back to this overall part of you need to ask for very specific consent. The other side of this is about being informed is that they must know whether you're going to keep it for longer than needed. Otherwise if you're using it for a contact form then you reach their contact, then there needs to be some kind of consent around that if you keep that data for longer and it has to be some part of your business processes that's very key not just something that you do just to keep it around. And the last part being unambiguous. You need to ask somebody to opt out not opt in so you can't have the checkbox pre-accepted and the consent must not only be freely given. It must also be something that is easy to take away. So how do you develop a better consent process? Well there are many examples on the internet but none have really been tested. So we don't really know how they're going to end up sitting inside the GDPR requirements but be careful of consent versus explicit consent. So what this means is you know when you're giving your consent you're actually just giving something but if you're doing something like that to just download a piece of trial software or something like that they consider that explicit consent where that's for a very specific need and so you can't really use that data for other means. You need to make your consent specific to the task at hand so you need to be very specific about that. And for additional uses like I said you need to look at explicitly calling those separate out as separate consents versus using all related marketing activities. You need to tie down your consent process directly to your privacy practices and data handling processes. So this should be part of your process not something that you just do in addition to that. You need to let people know that if that data is going to be shared with other third party systems. So this is probably going to be where we're going to see the most violations is you get this data and then you use a mail chimp or some other service for e-mail providers. Well they now become a data handler for you. You need to inform people that that's actually going to happen and you need to make consent easy to withdraw. And so from that side you need to make it a very simple process to be able to do this. And that is probably going to be something that nobody has implemented that you're going have to think about is how do I take back my consent once I've done it. A couple other things you might want to look at is obviously having a regular review of those processes of your consent keeping really good documentation around those consent and then set up and maintain a consent expiration process. Remember this isn't mandated for organizations outside the EU but it is for those working with the EU and inside the EU. But that doesn't mean it's still not a great privacy practice. So take it to heart and think about it and you might just provide a better customer experience because her customers will trust you more when you take these type necessary things and give them the options they really want.