If you collect data in the European Union, you’re well aware of GDPR and potential for steep fines if you are not compliant. Find out which consent rules are key.
It’s been well over a year since the European Union’s (EU) General Data Protection Regulation (GDPR) went into effect. Proposed in 2012, the regulations were approved in 2016 to provide consistency between data privacy and protection regulations across EU member nations.
The cornerstone of GDPR is consent: information about a person belongs to that person. If your organization is collecting data thatin any way relates to a citizen of the EU, that person should be informed about how you plan to use that information and kept informed as your organization’s data management strategy evolves. It doesn’t matter where the individual is located — universities who have even one student who is a citizen of the EU must also comply.
Understanding these consent rules can help your organization avoid fines from not managing your data in a GDPR compliant way. Consent must be:
- Freely given – The subject should not be convinced or coerced in any way to share their data. If the data is required to provide information or a service, that should be explicitly stated.
- Specific – Each activity that you will engage in that uses personal data must be specifically identified. Broad notifications are not compliant.
- Informed – The customer has to be clearly notified about how you intend to collect, store, use, and process their information.
- Unambiguous – This addresses design decisions for affirming consent: “ ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent’, according to GDPR Recital 32.” (EU, 2019)
- Revokable – Although there is no currently defined statute of limitations, you should make it easy for the people you collect data from to remove their consent at any time.
If your organization sells products to EU citizens, collects personal information or tracks the web browsing behavior of EU citizens or residents, stores data on EU-based servers, or uses cloud-based applications hosted in the EU, pay close attention to these consent rules if your goal is to comply with GDPR.
European Commission (2019). What are the GDPR Consent Requirements? Available from https://gdpr.eu/gdpr-consent-requirements/
European Commission (2018). Rights under GDPR. Retrieved from https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en
Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. ZDNet. Retrieved from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/
Pardes, A. (2018, May 24). What is GDPR and why should you care? Wired. Retrieved from https://www.wired.com/story/how-gdpr-affects-you/ About the Author: Nicole Radziwill is the Vice President, Global Practice Leader, Quality & Supply Chain at Intelex Technologies. Before Intelex, she was an Associate Professor of Data Science and Production Systems, Assistant Director (VP) End-to-End Operations at the National Radio Astronomy Observatory (NRAO), and manager and consultant for several other organizations since the late 1990’s bringing quality management to technologically-oriented operations. She is a Fellow of the American Society for Quality (ASQ) with a Ph.D. in Quality Systems from Indiana State University. Nicole serves as Editor of Software Quality Professional (SQP) journal and is a former Chair of the ASQ Software Division. She is an ASQ Certified Manager of Quality and Organizational Excellence (CMQ/OE) and Certified Six Sigma Black Belt (CSSBB).