The typical ticked boxes in subscription forms are no more enough: in four months from now every company will have to ensure that the consents on processing of sensitive data, even if collected before the GDPR will come into force, have been obtained lawfully, and to be able to provide legally valid proofs of records.
But what does this really mean?
Companies will have to:
A. implement procedures to collect the consent and inform users about the processing of their data;
B. implement procedures for a compliant health data storage and to keep record of collected consents in a legally valid manner.
A. Collecting Consents
Let’s dig a bit more into details.
To be allowed to process personal data of European Citizens, companies must obtain consent from the users under free, specific, informed, granular, and explicit conditions.
- A freely given consent should be of a voluntary and “opt-in” nature: no silence, pre-ticketed boxes or inactivity will be allowed anymore.
- Any data has to be collected only for specific purposes, which cannot be widened after the initial agreement.
- Data subjects must be informed, meaning that they must be provided with a clear, easily accessible and plain explanation on the processing.
- For each purpose of processing, there should be a separate opt-in, to ensure granularity of consent.
- Last but not least, the consent must be given explicitly. Being in a digital or online context, companies can rely on electronic forms, emails, upload of scanned documents, electronic signatures, oral statements or a two-stage verification.
Companies have to implement procedures to inform users about the processing, to give them the chance to object to it and to control the further use of their data.
In addition to these practices - applied to Consents received from the GDPR on - companies have to review all the mechanisms they already have in place, to ensure privacy and security compliance and that all the elements of valid consent are covered also on old consents.
B. Storing and keeping record of Consents
However, the new rules do not only affect the Client Side. Also on the Server Side, from the end of May on, there will be precise requirements.
The GDPR is very specific on this point, it states two things:
- obviously, not only the collection but also the storing of all these Consents must be implemented in a legally valid manner;
- for each stored information, companies must be able to demonstrate that the collection has been done lawfully.
“Legally valid manner” is not so straightforward. As well as the term “lawfully”.
Which procedures have to be actually implemented to comply with the new rules?
There are three stages to be considered.
- First of all, the moment of collection. In keeping track of the collected consents, companies are obliged not to include excessive amounts of sensitive data in processing activities: the information should be enough to show a link to the processing, but no more than necessary. Also at the end of the processing activity, proof of consent should be kept for no longer than strictly necessary.
- Secondly, the case of new/updated processing. Data subjects must remain well informed about how their health data is being used and how to exercise their rights, therefore changes in the policies or in the lawful basis require refreshing consent. Providing all the information once again at appropriate intervals is recommended even if no change in the conditions occurs.
- Lastly, the withdrawal of consent. If no other lawful basis to justify the processing exists, then the data should be deleted or anonymised. If the user exercises the right to be forgotten, then all the information must be erased.
In all cases, the controllers must be able to prove, for the entire duration of the data processing activity, that the subjects have given their consent, the exact purpose of collection and the GDPR compliant storage.
Even though, if presented in this way, the GDPR regulation on this topic seems to have no more secrets, the new process for Consent Management, to be implemented in a proper way, requires further experience, costs, time and implies risks.
Subscribe to Chino.io newsletter
C. Then, how Chino.io helps you?
Implementing all requirements by yourself may become difficult, time-consuming and risky in case of errors.
Chino.io has developed a brand new feature to support you in GDPR compliance on consent tracking and to let you focus on your business.
It consists of an extremely simple digital health API that ensures compliance with all requirements and eliminates risks, which you can implement in less than 5 minutes.
With Chino.io API, developers of digital health applications can store, update, and delete consents via 1 API call. In addition, they can search by User-Id, get full histories of operations in consents of users and get the legally valid audit log in case of legal issues. Everything accompanied by references to the Privacy Policy, User-Id, Data Controller Info, purposes for data processing and version of the policy accepted.
Easy, right?