PRIV- 20 – Consent and Disclosure Tracking

What is this control about?

Implementing the control ‘Consent and Disclosure Tracking’ is crucial for organizations that handle personal data because it ensures compliance with data protection regulations and helps build trust with individuals whose data is being collected and processed.

Available tools in the marketplace

Tools:

TrustArc CookieBot

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – No recommendations

Control implementation

Here are some guidelines to implement a Personal Data Correction:

• Identify Applicable Laws and Regulations: Begin by understanding the data protection and privacy laws and regulations that are applicable to your organization, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). These laws will outline the requirements for obtaining and managing consent for data processing activities.
• Define Data Collection and Processing Purposes: Work with the data owners and stakeholders to clearly define the specific purposes for which personal data is collected and processed. Document these purposes in a data inventory or data mapping exercise.
• Determine Consent Requirements: Review the legal requirements to determine when and how consent should be obtained from data subjects. Consent may be required for specific processing activities or for processing personal data for different purposes.
• Select a Consent Management Tool: Choose an appropriate consent management platform or software tool that aligns with your organization’s needs and compliance requirements. Ensure that the tool allows you to capture and record explicit consent, manage consent preferences, and maintain an audit trail.
• Create Clear Consent Language: Develop clear and easily understandable consent language that informs data subjects about the purposes of data processing and their rights. Avoid using complex legal jargon and ensure that the language is user-friendly.
• Implement Consent Collection Mechanisms: Integrate the consent management tool with your organization’s website, mobile applications, or other data collection touchpoints. Implement consent collection mechanisms, such as pop-up banners or checkboxes, to gather explicit consent from data subjects.
• Record and Store Consent Data: Ensure that all obtained consents are properly recorded and stored in a secure and centralized database. Include relevant details such as the date and time of consent, the specific purposes of processing, and the version of the consent language presented to the data subject.
• Update Consent Preferences: Provide data subjects with a user-friendly preference center where they can review and update their consent preferences at any time. Make it easy for individuals to withdraw their consent if they choose to do so.
• Monitor Consent Expiry and Renewal: Regularly review and track the validity period of consent obtained. Set up notifications to prompt data subjects to renew their consent when it is about to expire.
• Conduct Regular Audits: Regularly audit the consent management process to ensure compliance with data protection laws and regulations. Verify that consent data is accurate, up-to-date, and accessible for audit purposes.
• Train Employees and Raise Awareness: Conduct training sessions for employees involved in collecting and managing consent. Raise awareness about the importance of obtaining valid consent and adhering to the organization’s consent management policies.
• Perform Periodic Reviews and Improvements: Continuously review the effectiveness of the consent and disclosure tracking process. Make improvements based on feedback, changes in regulations, and lessons learned from previous audits.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Consent Management Tool Documentation:

Provide configuration of the consent management platform showing how the tool facilitates the collection, recording, and tracking of consent from data subjects.

      2. Consent Records:

Provide detailed records of obtained consent from data subjects

Evidence example

For the suggested action, an example is provided below:

• Consent Management Tool Documentation

• Consent Records