TIME TO GDPR

Day(s)

:

Hour(s)

:

Minute(s)

:

Second(s)

Asking for consent
  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes, or any other type of consent by default.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give granular options to consent to independent processing operations.
  • We have named our organisation and any third parties.
  • We tell individuals they can withdraw their consent.
  • We ensure that the individual can refuse to consent without detriment.
  • We don’t make consent a precondition of a service.
  • If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place.
Recording consent
  • We keep a record of when and how we got consent from the individual.
  • We keep a record of exactly what they were told at the time.
Managing consent
  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • We have processes in place to refresh consent at appropriate intervals, including any parental consents.
  • We consider using privacy dashboards or other preference management tools as a matter of good practice.
  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  • We act on withdrawals of consent as soon as we can.
  • We don’t penalise individuals who wish to withdraw consent.