Collecting data about people is part of almost all organisations daily experiences. However, many countries require a legal basis to collect and hold personal information. Therefore, most organisations ask for consent in some way or another. Directly or through those annoying pop up boxes on websites and apps.
There are two main legal basis organisations use – consent and legitimate interest. However, what we often forget is that both approaches are underpinned by rights. And both require the collecting organisation to ensure the person about whom the data is being collected is aware it is happening and why.
Audits almost always check that consent was collected. Usually checking if a tick box was marked. Or they check if the rationale for legitimate interest was appropriate. But rarely, if ever, do they check if appropriate awareness was created. And if the people, about whom the data is, understood. Even though this too is a legal requirement.
What would happen if this changed?
As many big organisations are compliance based beasts, would this help shift the needle?
The choice is up to us.