One of the most urgent requirements of the EU General Data Protection Regulation (GDPR) is the demonstration of consent. Consent forms can be particularly challenging, as there are various conditions under which data must be collected and stored.
So, what should you consider when creating consent forms?
Here are some practical tips from the GDPR Training team at FlexLearn, that will help you create GDPR-compliant consent forms:
Request as little data as possible
GDPR states that organizations should not process or retain personal data unnecessarily. This means that data should be collected for a specific purpose, used only for that purpose, and retained only for as long as necessary to fulfil that purpose. Typically, you might need the individual’s name and contact details; but should you need any additional personal information, think about how you can limit it as much as possible.
Make the Terms and Conditions clear
Ensure that the consent Terms and Conditions are visible, detailed, clear, and straightforward. Incorporate consent mechanisms into your forms that are easy to use and place them separately from any other T&C (such as the website’s Terms of Use). You should also let individuals know which organizations and third parties will be using their data.
Use opt-in consent forms
Use a pop-up or window with the information text that users must read before giving consent. Alternatively, present the information text in a dedicated form field, requiring users to scroll to the end before declaring their consent. Avoid pre-checked boxes as they are not considered informed consent.
Use a double opt-in mechanism
Ensure that individuals don't give their consent by mistake and that they have access to the email address they provided. After completing their consent form, they should receive an email with a confirmation link that they need to click to verify their consent. The double opt-in mechanism is already used to activate new accounts and confirms that those giving their consent are genuinely interested in the provided service.
Allow users to opt-out at any point
Give users the ability to withdraw their consent just as easily as they gave it. Inform them from the get-go that they have the right to withdraw their consent at any time and explain how they can do it. Continue to inform them in every communication.
By following these practices, you can create GDPR-compliant consent forms that respect the user’s privacy and data protection rights.
