An alarming percentage of organizations report that they aren’t prepared to comply with the GDPR—and many don’t realize that they're affected or understand its rules. This ebook explains what the regulation covers and the steps you can take to make sure your company doesn’t incur steep penalties by violating it. From the ebook:
The European Union General Data Protection Regulation (GDPR) is effective as of May 25, 2018, and just about every business, ready or not, must deal with the consequences of noncompliance. The penalties for failing to meet the standards outlined by the GDPR can be severe and should not be ignored or shrugged off by any business.
One of the more significant principles of the GDPR is the concept of consent. Data subjects, the people providing the personal data that needs to remain protected, must clearly consent to the processing of their data. That may seem reasonable, but obtaining consent can be more complicated than you might think. Consent can be given in more than one form and compliant enterprises will have to know and account for the different forms. What is consent under the GDPR?
The GDPR establishes a clear definition of valid and lawful consent with regard to data subjects:
“Consent is an unambiguous indication of a data subject’s wishes that signifies an agreement by him/her to the processing of personal data relating to him/her.”
In simple terms, here are the conditions of valid consent under the GDPR:
- Consent needs to be freely given.
- Consent needs to be specific, per purpose.
- Consent needs to be informed.
- Consent needs to be an unambiguous indication.
- Consent is an act: It needs to be given by a statement or by a clear act.
- Consent needs to be distinguishable from other matters.
- The request for consent needs to be in clear and plain language, intelligible, and easily accessible.
- Obtaining explicit consent that is valid under the GDPR adds another layer of conditions to the process. Data subjects consenting to the processing of their medical records, for example, must give specific and explicit consent to every aspect of the processing to be performed.