Consent Management is a system of processes and information technologies that allows to manage people’s consent to something, typically to processing their personal, sensitive or health information. This is what allows the companies to keep track of who and when has given his or her consent to something, and to prove this fact to the people concerned as well as to the control authorities, if the situation so requires. Given its nature of a legislative act, the consent must be clear, provable and verifiable, as significant steps may be based on it (such as a surgical procedure, delivery or withdrawal of licenses, etc.).
Where is the consent management used?
One’s consent to something is needed in a situation where we need his or her permission. It is an important legislative act - such permission (consent) gives us the right to act in a certain way. In practice, the most common situations where the consent of the person concerned is needed, are, for example:
- consent to the processing of personal data
- agreeing to business terms
- agreeing to terms of delivery
- consent to sending business offers (see direct marketing)
- agreeing to a specific medical intervention
Consent may concern customers, suppliers, but also employees.
What is the consent management like?
Consent is confirmed either by your signature (handwritten or electronic) or in some other demonstrable way - for example, by ticking a field in an electronic form or within an application (software). There is a number of consent-related processes, such as:
- granting consent
- consent processing
- processes of withdrawing or revising consent
It is essential to save the consent record, no matter if in a paper form, in an information system, application or database. The consent must state clearly:
- who gave the consent
- why the consent was granted, alternatively under what circumstances
- when the consent was granted
The consent management system and processes should also allow for possible withdrawal of consent if circumstances and legislation so permit. Legislation may even oblige an organization to give a possibility to withdraw one’s consent. An example of such piece of legislation is the GDPR, specifically the section dealing with consent to personal data processing. Managing such a system can be very demanding in terms of administration. In the ideal situation, the system works on a self-service basis so that people can manage themselves their own consents. This, of course, is not always possible since it requires a safe authentication (of people/users) as well as a secure login in order to prevent misuse or attacks to the system.