This paper sets focus on how the management of consents have to be done in a more structured manner after May 25 and the enforcement of the General Data Protection Regulation. It is an attempt to assemble a set of tools, a check list, as a practical way of addressing the issues concerning management of electronic consents.
The end result is primarily directed towards controllers, record managers, Data Protection Officers and others that have an deeper interest in compliance, whether it is GDPR compliance or records management compliance.
Most of us have recently received a number of requests from various companies that wish to continue to process our personal data after GDPR was introduced in the EU on May 25, 2018.
Vera Jourová, the EU justice commissioner, emphasizes that companies that earn their money by the use of personal data, are given more responsibility.
"Personal information is the gold of our time. And we provide information about virtually any step we take, especially in the digital space. It's as if people are naked in a goldfish bowl. "
The overall goal of GDPR is to give citizens better control over what personal information different businesses collect from them.
Consent requirements form the core of this.
Companies that process personal data have, according to the new regulation, the burden of proof, consequently also the obligation to provide documentation, for consents entered into after the entry into force of this Regulation.
The case against Facebook and their sharing of personal information with, among other things, Cambridge Analytica has contributed to the attention of treatment based on the consent of the registrant has reached unprecedented heights and has resulted in many businesses taking the issue more seriously than before.
In the time period in which I have addressed this problem area, the subject has often come up for discussion with colleagues, fellow students and others in my network.
In retrospect, I am surprised at how often I have found myself having to go far down into the details, of pure necessity, to manage to explain what this is all about. This paper will by many be perceived as quite theoretical, but the reason will hopefully be clear as the theory is put together into practical tools in the end.
Consents play a very important role in the context of data protection, and - as the recent experience from the Cambridge Analytica case indicates - this role will become even more critical in the future.
In the work of developing this check list, it has been important to be able to isolate the life cycle principle of the consent object from the overall business process, and how this piece of evidence must be treated in particular in the light of the new data protection regulations.
Control mechanisms listed in the checklist address the specific requirements of the GDPR, and are related to processes described in globally recognized standards and frameworks. The controls are done by answering the questions in the checklist, with any references in cases where there are no immediate answers in the treatment process.
Once in the future, there will be a trial main question will be whether the consent can be accepted as authentic documentation or not. After that, or hopefully before that, more data controllers will investigate how far their own systems, routines and procedures support the requirements deriving from GDPR.
Until then, this checklist can be used as a basis for reviewing consent-based personal data processes. It is assembled by elements from recognized principles and standards, and will help to ensure that the consent object in itself is safeguarded in a proper manner. It can be implemented as part of a larger audit, as part of a risk and vulnerability analysis, or simply used as a stand-alone tool.