Consent Management Procedure
1. Introduction
1.1. This procedure outlines the approach of Fifty Five and Five Ltd (“the Company”) for obtaining, recording, and managing the consent of individuals from whom we process personal data. Consent is a key principle of data protection, ensuring that data subjects have control over their personal information.
2. Scope
2.1. This procedure applies to all personnel and processes within the Company that involve the collection and processing of personal data based on consent.
3. Obtaining Consent
3.1. Consent must be freely given, specific, informed, and there must be an indication signifying agreement.
3.2. Where the processing has multiple purposes, consent should be given for each of them.
3.3. Consent requests must be presented in a manner which is clearly distinguishable from other matters, in clear and plain language.
3.4. For sensitive personal data, explicit consent must be obtained.
4. Recording Consent
4.1. The organisation will maintain a record of when and how we obtained consent from the individual.
4.2. The exact details of the scope of the consent (what they were told, and how they consented) will be documented.
5. Managing and Renewing Consent
5.1. Consent shall remain valid until its purpose has been achieved or until the individual withdraws their consent.
5.2. If the purpose for which the data is processed changes, renewed consent will be sought.
5.3. Periodic reminders will be sent to data subjects to confirm their consent, at least once every year.
6. Withdrawal of Consent
6.1. The data subject has the right to withdraw their consent at any time.
6.2. The withdrawal process must be as straightforward as the process to give consent.
6.3. Upon withdrawal of consent, the organisation will cease the processing of the individual’s data for the purposes the consent was originally given, unless there is another lawful basis for processing.
6.4. All personnel must be trained to recognise a withdrawal of consent and know the immediate steps to take once it is received.
7. Refusal of Consent
7.1. Data subjects have the right to refuse to give consent without facing any detriment.
7.2. If consent is the only lawful basis for processing and the data subject refuses, their data should not be processed for that purpose.
8. Review and Audit
8.1. The organisation will review consent mechanisms regularly to ensure they comply with changes in data protection legislation and guidance.
8.2. An audit of the consent management procedure will be conducted at least annually to ensure effectiveness and compliance.
9. Data Breaches
9.1. In the event of a data breach concerning data for which consent has been obtained, the affected data subjects will be informed in accordance with our Incident Response Plan.
10. Training and Awareness
10.1. All personnel handling personal data will receive training on this consent management procedure as part of their induction and will receive periodic refresher training thereafter.
10.2. The Company is committed to ensuring that its employees understand the importance of proper consent management.
11. Queries and Feedback
11.1. For any queries or feedback regarding this procedure or any concerns about our consent practices, individuals should contact our Data Protection Officer at chris.wright@fiftyfiveandfive.com