Stakeholders and consumer’s awareness
Update your registration flow to obtain lawful consent and write a data subject access request
A number of your data processing operations will probably be based on the principle of consent.
Lawful consent only applies if this is “freely given, specific, informed and unambiguous”, without coercion. This can be given by means of a statement or an affirmative act, such as ticking a box, if sufficient information is also provided. The automatic, implicit assumption of consent or the use of prefilled tick boxes is not sufficient to obtain valid consent.
You must be able to demonstrate that you have obtained the valid consent of data subjects to process their personal data.
Furthermore data subjects are entitled to withdraw their consent at any time. This must be as simple as giving consent, and before data subjects give their consent, they must be informed of this right. Otherwise consent is invalid: you have to mention everything in your data subject access request policy (see the Data subject Access Request (form)).
Check your processors and data processing agreements
A processor is a third party that processes personal data on behalf of an organisation. These may include service providers who do the payroll accounting but may also include all kinds of cloud or other IT services where the service provider stores or can access your personal data.
So, you should send by email or post asking if the processor is compliant with the GDPR (see our readiness letter and the readiness prove list).