Visitor Opt-In needs logging for GDPR

GDPR actionable steps

Summary of the regulation step, Article 7 Conditions for consent

  • Log the location and time of opt-in
  • Each form should be screen grabbed and filed
  • Provide a link to Privacy Policy from the form
  • Use email double opt-in

As the visitor's consent needs to be recorded for its location and date. You will need to check that this data is recorded in your systems, as well as paper processes. For auditing and if the visitor later questions the consent it is advisable to screengrab all web Forms for reference copies with the dates they were live in production and then when a new version started.

Article 7 Conditions for consent - Lawful basis for processing

The data subject shall have the right to withdraw his or her consent at any time. The lawful basis for your processing can also affect which rights are available to individuals. For example, some rights will not apply:

.Right to erasureRight to portabilityRight to object
Consent givenX right to withdraw
Performance of ContractX
Compliance with Legal ObligationXXX
Vital InterestsXX
Public InterestXX
Legitimate InterestX

Checklist when asking for consent

  • We have checked that consent is the most appropriate lawful basis for processing?
  • We have made the request for consent prominent and separate from our terms and conditions?
  • We ask people to positively opt-in?
  • We don’t use pre-ticked boxes or any other type of default consent?
  • We use clear, plain language that is easy to understand?
  • We specify why we want the data and what we’re going to do with it?
  • We give individual (‘granular’) options to consent separately to different purposes and types of processing?
  • We name our organisation and any third party controllers who will be relying on the consent?
  • We tell individuals they can withdraw their consent?
  • We ensure that individuals can refuse to consent without detriment?
  • We avoid making consent a precondition of a service?
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place?

Source: Extract form ICO, where you can read more on Consent

More GDPR actionable steps

Do you have a GDPR process that you still have questions about?

Send me your thoughts, We can advise you on roadmap steps to production.

Photo: