FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449 Email: hirett.co.uk@gmail.com
1 Concent Checklist
| AUDIT TYPE: INITIAL/REVIEW/AUDIT
DATE: ________________ |
NAME OF AUDITOR: _________________________
AUTHORISED BY: _________________________ |
||
| 1. DECIDING ON CONSENT | |||
| ASSESSMENT QUESTION | YES | NO | AUDITORS NOTES |
| Have you reviewed the 6 lawful bases for processing to determine if consent is the most applicable for your processing requirements? | |||
| Does using consent as your lawful basis most closely match your relationship with the individual and your purpose for processing? | |||
| If processing ‘special category data’, have you reviewed all Article 9(2) (& DPA18 schedule 1) conditions to ensure that explicit consent is the most appropriate? | |||
| If the processing is related to marketing; have you reviewed the relevant e-privacy laws to ensure you understand when consent is required? | |||
| Have you reviewed whether you will still need to retain any of the data for any other purpose if the individual withdraws their consent? | |||
| Have you ensured that giving consent is not a precondition of accessing your services or goods? | |||
| Have you ensured that you are not in a position of power over the individual giving consent or that there is not an imbalance in the relationship? | |||
| 2. CONSENT COMPLIANCE (once you have determined that consent is the most appropriate lawful basis) | |||
| ASSESSMENT QUESTION | YES | NO | AUDITORS NOTES |
| Have you documented your assessment of the lawful basis to evidence that consent is the most appropriate basis? | |||
| Have you clearly defined what the individual is consenting to? | |||
| Have you verified that the consent complies with the GDPR/DPA18 standard? | |||
| Do you offer individuals real choice and control over how you use their data? | |||
| Is the consent mechanism clear, unambiguous and easy to access and understand? | |||
| Has the consent been freely given? | |||
| Does the consent mechanism detail the controller’s identity? | |||
| Does the consent mechanism name any third-party controllers who will be relying on the consent? | |||
| Have you defined the purposes of the processing in the consent mechanism? | |||
| Have you detailed the processing activities in the consent mechanism? | |||
| Have you ensured that the consent mechanism contains the individual’s right to withdraw consent at any time and details how to do this? | |||
| Where applicable, have you obtained separate consent for different processing operations using granular options? | |||
| Have you kept the consent mechanism separate from any terms & conditions? | |||
| ASSESSMENT QUESTION | YES | NO | AUDITORS NOTES |
| Do your consent mechanisms contain an affirmative action that means the individual must take deliberate and specific action to opt in or agree to the processing? | |||
| Do your consent mechanisms avoid technical or legal jargon and confusing terminology? | |||
| Are oral consent confirmations accurately recorded and retained for evidencing consent? | |||
Have you obtained consent using an active opt-in mechanism? (examples included below)
|
|||
| Where you need to obtain explicit consent for processing special category data; have you ensured that the explicit consent statement refers specifically refer to the element of the processing that requires the explicit consent? | |||
| Is any explicit consent separate for all other forms of consent in your mechanisms? | |||
| Have you ensured that no pre-ticked boxes are used to obtain consent? | |||
| ASSESSMENT QUESTION | YES | NO | AUDITORS NOTES |
| If obtaining consent via a website, have you ensured that individuals do not need to ‘login’ or create an account to give consent? | |||
| If your consent mechanism is directly at a child, have you ensured that the style and language is child appropriate? | |||
| If you are offering online services to children and are relying on consent, have you included age-verification measures to ensure that you adequately seek parental consent for children under 13? | |||
| 3. ONGOING CONSENT MONITORING | |||
Do you keep a record of all consent that includes the below?
|
|||
| Do you have processes for withdrawing consent and recording such withdrawals? (i.e. online preference-management tools, unsubscribe links in emails and/or providing customer-service phone numbers) | |||
| Have you ensured that where consent is withdrawn, the individual will not suffer any detriment (i.e. loss of services, access to site etc) | |||
| ASSESSMENT QUESTION | YES | NO | AUDITORS NOTES |
| Where consent is given by a parent for a minor, do you utilise a control for revisiting consent when the child becomes an adult? | |||
| Do you have a process for reviewing your consent mechanisms on an annual basis? | |||
| Are processing operations that rely on consent regularly assessed to ensure that consent is still the most appropriate lawful basis? | |||
| Has reviewing consent mechanisms and recording consent been allocated to a specific individual? | |||
| Do you offer individuals real choice and control over how you use their data? | |||
| Do you offer individuals options to review their consent? | |||
| AUDITOR DECLARATION
Once completed, the auditor should complete the below section and gain Director/High Level Management sign off. Have you dated and saved the completed review in your document control/compliance program? YES/NO AUDITOR SENIOR MANAGER
Signed: _______________________ Signed: _______________________ Print: _______________________ Print: _______________________ Date: _______________________ Date: _______________________
|