Consent is one of the primary legal bases that organizations leverage to collect and process personal data. As per Article 7 of the GDPR, consent can only be an appropriate legal basis for data processing if it is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. This requires that an individual’s consent must be given voluntarily without any pressure or influence that could affect his or her choice. The use of dark patterns such as pre-selected tick-boxes, cookie walls or other such tactics used in websites that misguide users and force them to consent is prohibited under the GDPR. Data subjects should also be allowed to withdraw their consent at any time without any detriment. Furthermore, separate consent must be obtained for separate data processing purposes.
The GDPR also requires data controllers to be able to provide evidence that the data subject has given consent to the processing operation where processing is based on the data subject’s consent. This article digs deeper into the data controller’s responsibility of being able to demonstrate consent compliance.
What is Proof of Consent?
Article 7(1) of the GDPR states as follows:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
While talking about burden of proof, Recital 42 of the GDPR states as follows:
“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
The afore-mentioned provisions of the GDPR indicate that the burden to demonstrate or prove that consent has been obtained from the data subject lies with the data controller. It is also consistent with the accountability principle of the GDPR, as stated in Article 5(2), that the controller shall be responsible for, and be able to demonstrate compliance with data protection principles.
As per the European Data Protection Board updated Guidelines on Consent, data controllers have liberty to create their own methods to demonstrate consent, in a way that does not hinder their daily operations. This should, however, not result in data controllers having excessive amounts of additional data processes. This means that organizations should have enough data to show consent was obtained but they should not be collecting any more information than necessary - to ensure data minimization.
What organizations must do to prove or demonstrate data subject’s consent?
To comply with the afore-mentioned requirements of the GDPR and EDPB Guidelines on Consent, organizations are required to do the following:
- Keep a record of consent statements received, as to indicate how consent was obtained, when consent was obtained, and the information provided to the data subject at the time.
- Be able to demonstrate that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent. According to the EDPB, in an online context, a controller must retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information presented to the data subject. It is to be noted that referring to a correct configuration on the respective website may not be sufficient.
- Keep a copy of the information that was presented to the data subject at the time of obtaining consent from him/her.
- As a best practice, consent should be refreshed at appropriate intervals.
Roadmap to Compliance
Securti’s Consent Management Platform helps organizations maintain comprehensive audit trails to demonstrate compliance as well as respect the data subject’s latest preferences. The audit trail is a detailed dashboard consisting of the following:
- Data subject identity (online identifier)
- Consent date (time and date stamp)
- Copy of data capture (including any information presented to the data subject)
- Cookie categories
- Consent status (whether consent has been granted, declined or withdrawn)
- Location code (cookie domain)
- First party and third party
Securiti’s PrivacyOps platform captures the exact text of the agreement and the types of cookies to which the data subject consented to, thereby fulfilling the proof of consent requirement under the GDPR.
Conclusion
There can be several data processing operations where the data subject’s consent is considered an appropriate legal basis. For example, consent is relevant in email marketing and the installation of non-essential cookies and other similar tracking technologies. However, failing to obtain valid consent may expose organizations to exorbitant amounts of fines and penalties. Most global privacy regulations require organizations to not only obtain freely given consent but also to have proof of this consent for certain data processing activities. Doing this through manual methods is almost impossible given the amount of data that flows in and out of an organization in a single day.
Organizations need to find a solution that will help them automate this process, making it effective as well as cost and time-efficient. The Securiti Consent Management Solution offers:
- Periodic scanning of websites
- Consent orchestration
- Configurable consumer preference center
- Configurable workflows
- Dynamic consent refresh
- Granular and comprehensive consent records for audit and reporting
Request a demo today and see how it can help your organization comply with global consent regulations.
