In February, I undertook a review of the implications that the GDPR would have and how you should start preparing now. With a year until their enforcement, I now consider, in further detail, why it is crucial that you review your terms and conditions prior to the GDPR taking effect.
Terms and conditions
The GDPR brings with it an increased level of compliance, which will mean that there are greater risks of establishing non-compliance. In reviewing your terms and conditions now, you can prevent being caught out by the new obligations due to be imposed in May 2018.
It is prudent to review your current terms so as to identify any amendments and/or areas which may be cause for concern in the future.
In particular, ensuring that you have received adequate consent is of the highest importance. Under the GDPR, consent must be unambiguous and obtained through a clear and affirmative action.
It looks as though the approach to consent will have to be on an opt-in basis, rather than on an opt-out basis. As such, pre-ticked boxes agreeing to have read and understood terms and conditions will no longer be accepted as consent, as there is not an element of opting-in, only opting-out.
Any complaints in relation to receiving marketing without the requisite consent and made by customers after 25 May 2018 could be escalated to the Regulator and you will be found to be in breach. By acting now, you can ensure your terms and conditions are adequate for the coming enforcement of the GDPR.
Clarification on consent
Some clarification is being sought as whether general consent is sufficient, or as to whether it is required for each and every single processing operation. Further details surrounding how consent can be obtained and also whether old consents need updating are also awaited. Updates are anticipated from the Article 29 Working Party later this year.