GDPR: It's About Consent, Stupid!


GDPR: It's About Consent, Stupid!

The core focus of GDPR is consent - companies who ignore it or don't do it right do so at their peril. 

My eyes are glazing over with all this GDPR content.  I think I’ve listened to 20 webinars, read 30 reports, and read 2-3 articles each day.  While some of it is interesting, I find most of it product and service-centric which just states the obvious. In the process, it’s missing the point that matters most  - How will your company handle consent?  When the time comes to start actually buying GDPR compliance services and software, you will need specific solutions to immediate problems, starting with consent.  Here’s why:

This is a law enacted to protect the data of real people.  Consent should be obtained by explaining to users what you are doing, in clear language, as opposed to in legalese.  Give them clear and consistent ways to grant and modify their consent for use of their data.  How a company delivers their consent experience will be every bit as important as any other part of their digital user experience.  Companies who treat it as another piece of disclosure to be buried in the privacy policy do so at their peril.

Eduardo Ustaran, who we work with closely at Hogan Lovells, captures the consent requirements succinctly in this piece:

“When relied upon as a justification for the use of data, consent will need to meet very high standards and overcome certain conditions including: 

  • Consent cannot be bundled with T&Cs without clearly distinguishing between the uses of personal data and the other matters governed by the T&Cs

  • Consent can be withdrawn at any time and in an easy way that should be explained to the individuals before it is obtained

  • If consent is presented as ‘take it or leave it’, it will not be regarded as freely given.”

Regulators agree with this consent-focused approach. Think about it - A regulator would need to make a specific request or respond to a complaint to figure out if the more hard-core technical parts of GDPR compliance are done correctly.  That’s time consuming, expensive and right away gets your company’s lawyers all geared-up for a fight.  They have to make time to review your documentation. And lawyers have to be involved at each step of the process.

By comparison, figuring out if your company is gaining GDPR consent correctly takes literally seconds, happens without your knowledge, and costs the regulators next to nothing. Any regulator can quickly look at the consent process from hundreds of companies in hours with their web browser.

You can’t hide your lack of compliance from regulators, nor can you hide it from consumers or the press.  If your consent solution is weak, hard to use or non-existent, then you’ve just handed regulators all they need. Non-compliance can damage your brand and dramatically increase your company’s exposure to fines that start at €20 million.

Now proper GDPR consent requires more thought than the ubiquitous Cookie Law notices that we provide across thousands of sites and apps. First, there are a lot more rights and clarifications that need to be a part of the note.  Second, the user needs to be able to take real action, not just read more legalese.  Third – and this is where it connects to the broader requirements of data governance under GDPR – the data controller needs to not only know which other vendors have access to the data being collected, but also they have to ensure those vendors are compliant with the GDPR.  So even if your site is doing it right, if your vendors are non-compliant, you will pay the price along with them.  The same goes for any company that is powering the marketing and advertising technology on your site.

That’s why we’re working closely with a number of leading technology partners to evolve our consent solutions, and connect them with the required privacy impact assessments and other back-end changes that the GDPR requires.  It’s an exciting project, and similar to ones we’ve successfully led before.  Our Cookie Law consent solution just received a U.S. Patent. We’re applying that same expertise and dedication to solving the GDPR consent solution for companies and the law firms and consultancies they rely on to put the entire GDPR program into place.

Watch this space for more education and opportunities to engage with an active community of Digital Governance leaders.  To learn more about our GDPR efforts, click here.

See all

See all

Our Solutions