The GDPR rules for consent are much stricter than the previous legislation. To collect PII data, you need to make sure to get consent from anyone you want to collect data from. (Note that there are certain situations where consent do not have to be given, for example, when you need the data to fulfill a legal obligation toward the data subject.)
According to GDPR, the consent needs to be “freely given, specific, informed and unambiguous and requires affirmative action”. This means that the consent needs to be active, and that it is not enough to add an option that says: “if you continue to browse this site, you allow us to store your personal data”. The data subject needs to actively enter their email address, tick a box or some similar action. Checkboxes cannot be selected by default.
You need to write the consent notification in a clear and simple language to make sure that the data subject understands what they are consenting to, and you need to explain what the purpose of the data collection is and how the PII data will be used.
When you need the consent of a data subject, you must store that consent, for example, in a user profile. You must also keep track of the consent given by the data subject so that you can match the consent with the exact purpose and collected data. If you, for example, set up a web form to collect name and email address from potential customers, and later find out that you really need their phone numbers as well as email address, so you add a phone number field to the web form. In this case, you need to be able to track which version of the form, the data subject consented to. You will also need a clear explanation of why you need both email address and phone number, and to provide the customer with the option to consent to one of them but not the other.
It must be as easy to withdraw consent as to give consent, and it must be possible to withdraw consent at any given time. Preferably, you should have an automatic procedure for this, where the data subject can, for example, log in and delete their consent. The data subject should not have to phone you and ask you to remove their consent.
Last updated: Jun 19, 2018