'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on September 5, 2021 AUTHOR - Privacy Research Team
Consent is one of the primary legal bases that organizations leverage to collect and process personal data. As per Article 7 of the GDPR, consent can only be an appropriate legal basis for data processing if it is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. This requires that an individual’s consent must be given voluntarily without any pressure or influence that could affect his or her choice. The use of dark patterns such as pre-selected tick-boxes, cookie walls or other such tactics used in websites that misguide users and force them to consent is prohibited under the GDPR. Data subjects should also be allowed to withdraw their consent at any time without any detriment. Furthermore, separate consent must be obtained for separate data processing purposes.
The GDPR also requires data controllers to be able to provide evidence that the data subject has given consent to the processing operation where processing is based on the data subject’s consent. This article digs deeper into the data controller’s responsibility of being able to demonstrate consent compliance.
Article 7(1) of the GDPR states as follows:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
While talking about burden of proof, Recital 42 of the GDPR states as follows:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
The afore-mentioned provisions of the GDPR indicate that the burden to demonstrate or prove that consent has been obtained from the data subject lies with the data controller. It is also consistent with the accountability principle of the GDPR, as stated in Article 5(2), that the controller shall be responsible for, and be able to demonstrate compliance with data protection principles.
As per the European Data Protection Board updated Guidelines on Consent, data controllers have liberty to create their own methods to demonstrate consent, in a way that does not hinder their daily operations. This should, however, not result in data controllers having excessive amounts of additional data processes. This means that organizations should have enough data to show consent was obtained but they should not be collecting any more information than necessary - to ensure data minimization.
To comply with the afore-mentioned requirements of the GDPR and EDPB Guidelines on Consent, organizations are required to do the following:
Securti’s Consent Management Platform helps organizations maintain comprehensive audit trails to demonstrate compliance as well as respect the data subject’s latest preferences. The audit trail is a detailed dashboard consisting of the following:
Securiti’s PrivacyOps platform captures the exact text of the agreement and the types of cookies to which the data subject consented to, thereby fulfilling the proof of consent requirement under the GDPR.
There can be several data processing operations where the data subject’s consent is considered an appropriate legal basis. For example, consent is relevant in email marketing and the installation of non-essential cookies and other similar tracking technologies. However, failing to obtain valid consent may expose organizations to exorbitant amounts of fines and penalties. Most global privacy regulations require organizations to not only obtain freely given consent but also to have proof of this consent for certain data processing activities. Doing this through manual methods is almost impossible given the amount of data that flows in and out of an organization in a single day.
Organizations need to find a solution that will help them automate this process, making it effective as well as cost and time efficient. The Securiti Consent Management Solution offers:
Request a demo today and see how it can help your organization comply with global consent regulations.