UK GDPR tips – Consent

  1. In order to use consent as a legal basis for processing personal information, it must be freely given by the individual and must be able to be withdrawn at any time. Hence for most MVDC functions consent will not be appropriate. It is likely to be for marketing purposes only or if you wish to share an individuals personal data with a 3rd party.
  2. Consider if your Privacy Notice (Service-wide or specific) needs to be updated.
  3. Draft a letter / email using the template below, tailoring it to fit your needs (this is a loose template, but serves to provide some structure).
  4. Ensure your Information Asset Owner is happy with the Privacy Notice/ update to it, at which point you can reference an appointed web-friendly URL (when it is hosted on the website). Once agreed, the Privacy Notice/ updated Privacy Notice needs to be put live on the website ahead of the letter / email being sent out to customers.
  5. Consider the requirements of Privacy and Electronic Communications Regulations (PECR) at the outset if you are anticipating sending electronic marketing to data subjects. Speak to one of the Legal team for more information.
  6. If you are sending out to a list of email addresses, please ensure you Blind Carbon Copy (BCC) those addresses, and do not send either directly, or CC those emails addresses.
  7. When sending an email out in this way, make sure you send the email from an email address you are happy can handle the volume of responses from customers / residents opting-in.
  8. Whenever your correspondence is sent out, set a realistic deadline of when customers / residents need to respond by. We suggest picking a deadline 2 weeks from when the correspondence is sent out.
  9. You must keep the emails / letters (these can be scanned of course) from people who have opted-in. This is evidence and must be electronically stored somewhere safely.
  10. You will need to delete email addresses / postal addresses (and associated personal information) of those people on your mailing list / databases who do not respond within the set deadline, or reply that they do not consent.
  11. You should ensure you have a robust process in place for dealing with any withdrawals of consent.

Downloads:

Consent Request – Email and Letter Template [16kb]