Basically, no more pre-ticked boxes. That's what you want to be taking away. Consent is really ... is more tightly defined under the GDPR. A statement or clear affirmative act will be required by the data subject when you are collecting your information. If you just can visualize what we tend to think about, if you're downloading a program or you're online, you must be requiring a tick box that the individual actually will be ticking.

That would be considered a statement or a clear affirmative act. It can't be pre-ticked. That's not considered to be affirmative. Also, distinct consent is required for each operation. If you have two different products that you're offering, you will need to be getting or obtaining consent to be processing an individual's personal data for those separate operations if you were relying upon consent to process their data.

Now, this will relate back to the accountability obligations that we will discuss later on in the presentation. You must be able to prove that you've obtained consent in your record keeping obligation. If a DPA, the data protection authority comes to your or subjects you to an audit, you will be able to show in the record we obtained Emily's consent to process her data and so then you'll be protected.

Consent must be separate from the terms and conditions so must be clearly separate from the long agreement that you'll be presenting to them potentially. Obviously, consent is not consent if it's not as easy to withdraw as it is to give. You must make sure that an individual will be able to withdraw their consent fairly easily.

A fairly obviously example here would be direct marketing. Making sure that individuals are able to tick and select their consent to be contacted for marketing purposes. All right, yes next slide please. Increased transparency. This is really in regard to the disclosures of what you tell your data subjects.

This would be particularly, primarily would be in regard to privacy policies or privacy notices. You must have turned ... The privacy policies and notices must be transparent, clear, concise and easily accessible written in intelligible language that are adapted to data subjects. You may see nowadays online, in particular I would say some social media firms, their privacy policies are fairly clear and not drafted in legalese.

This would be in opposition to perhaps in the past. Well, definitely in the US, there were some agreements could be critiqued to be or some agreements or privacy policies or policies in general to consumers could be critiqued to be too legalese and perhaps downright confusing so consumers couldn't figure out what was going on with their personal data.

Here, the move is really to focus on transparency to ensure that the data subject understands what you as a company are going to be doing or what you propose to do with the personal data. Further, the GDPR will require more information to be included in the privacy policies or notices for example, the legal basis upon which you are relying to process their personal data.

For example, consent would be the legal basis or a legitimate interest or for a legal obligation. Any specific legitimate interest that you are relying upon to process an individual's personal data. For example, you may have a legitimate interest to process an individual's personal data if that's the point of your business.

If you need to have access to bank account information that could be ... You may want to ... You would likely more to obtain consent, but you can also rely upon a legitimate interest there likely because that's the whole function of your business would be to collect bank account information and be able to present it in a easily accessible fashion if that's your business model. That could be a legitimate interest that you're relying upon. 

You must disclose how long you intend to keep the data or at least how you will make that decision. If you engage in any profiling which may be very relevant for any credit references, you must ... That you engage in, you must disclose the logic involved and the potential legal effects on the data subject. Of course, you must implement appropriate technical and organizational measures to protect that personal data and provide notice to data subjects on any further processing.

This webinar was co-hosted with Mason Hayes & Curran www.mhc.ie