Why you need a consent audit trail for GDPR

We are all aware of the potential of success we have been making with the advent of internet, power of having an online business with an exposure capacity on the global level.

For those who are still living under the rock, GDPR (The General Data Protection Regulation, EU 2016/679) is a regulation in the EU law on data protection and privacy for all individuals within the European Union coming to effect on May 25th, 2018.

First things first,

Who should be GDPR compliant?

In essence, If you have a website where you are expecting a global level exposure, which by default is going to include the visitors from European Union Countries, you need to be in compliance with this law.

So in effect, all our happy Invanto customers, who are using any of our products have to be GDPR compliant.

For those who are not our customers, but still have an external business site or blog, you also need to be GDPR compliant. I insist you read this guide too, because we have a heart melting surprise for you too!

So, every business, large or small, who has presence online needs to comply.

Why YOU need to be compliant?

Let me take this ‘one thing at a time’ in a simple plain language as directed in one of the important Articles of EU GDPR regulations.

Which article, in case you are wondering:

Oh it’s the Article number – don’t mess with the personal information of your ‘Data Subjects’ or our Supervisory Authority will make sure to ruin you and your business with exorbitant unbelievable fines to the tune of € 20 million or 4% of your company’s global annual turnover of previous financial year.



Pretty much explains the hoopla behind this. Money is the language of my soul.
Anyways, even if you are one of those daring ones, saying, no it won’t bother me; GDPR has made sure all the third party companies/ processors storing the personal information of your data subjects should also be GDPR compliant.

High five!

So if you really want to stay in business, you don’t really have a choice.

On a serious note, IMHO this is the best time to be compliant with this law. Even if you haven’t yet started, don’t lose heart and make visible efforts to at least get started on it. (Refer article – No one’s ready for GDPR) to know that you are not alone.

But read ahead first…

Though EU has not really left any aspect untouched, eventually every next country is sure to come up with their own updated privacy laws. So in effect, GDPR is the first one to help us and our businesses (especially us small businesses) to get more organized. Or at least let’s act like it’s for our good.

They did all this to protect the personal data of citizens of EU Union, now it’s our turn to protect our businesses with their guidance and making some small and very big changes to the way we run our businesses.

Small Changes

Some of the small yet doable changes include updating your Privacy, Terms of Use, and Cookie policy and being transparent with your audiences (customers and site visitors) as to how and for what purpose you have been, and will be using their personal data.

Big Changes

And then, comes some big changes like investing time and resources in assigning a Data Protection Officer (DPO)/ a designated responsible person to make sure all the processes of security and privacy are up to date and that your business is GDPR compliant. Also, in case a chaos occurs, you will have a have a specific person to put all the blame on!

Big Changes continued…

Along with assigning a DPO, your big changes will require you to be ready and create (and keep updated) certain internal compliance documents named – DPIA (Data Protection Impact Assessments, mainly governing steps taken to assess the effect on the personal data of your customers (aka Data subjects) of new activities/ projects/ products/ courses/ offers introduced in your business.

There there will be Data Retention Policy, governing the retention schedule of how long you will be storing the personal data of your users, after they have deleted their accounts.

Big Changes are big, still continued…

Another very important internal document is Inventory of Processing Activities in which you need to make note of all the processing activities of your business and third party processors you deal with – your autoresponders, payment gateways, etc.

Any processor or third party where the personal data of your data subjects/ customers might be stored, needs to be GDPR compliant too.

You will also need to create a proper system of Data subject Access rights where in case your Data Subject /Student requests for the details regarding his personal information stored with you, you will have to respond to him within 30 days. Pretty Big.

No wonder, GDPR is going to be an additional department in your small business set -up including the likes of marketing, IT and Designing.

Very Big Changes

“Privacy by Design” aspect of EU GDPR requires you to consider privacy on the ground level and take it into account throughout the whole engineering process when you design your site.

So, in case you are planning to start a new business post 25th May, 2018, at least it would be easier for you for all your processors will be GDPR compliant and many companies will have come up updated guidance and tool kits for GDPR Compliance.

Now, this is just a brief list of the big changes you need to comply with. Since I am mainly dedicating this post to the most important Big Change, I am cutting it short here.


The most important big change is the one that revolves around Consents of the Data Subjects.

Consent plays the core behind the Data Protection.

What is Consent in reference to EU GDPR?

The main idea behind the Consent is to give your customers real choice and control on how their personal information will be used by your business and explicit purposes for which you are using their information.

In a glance, there are three aspects to this:

1. Asking for Consents

  • Consent should be given by data subjects before processing is done for that consent.
    For example, if you need their consent to let them send your future product offers, you will first ask for it, record their consent in your system before you jump to send them your product offers.
  • Consent must be requested in clear and certain language. Be specific as to why you need it and how you will use that consent.
  • There needs to be a form that is signed or a clear digital action (like ticking of a check-box) on part of the data subject for each consent request.
  • Consent requires a clear and affirmative action from the user. This means, pre-ticked check-boxes and opt-outs won’t suffice.
  • Consent should not be bundled. This means that a separate consent should be taken and recorded for each purpose.
  • The data subject should be given a right to withdraw their consents at any point of time. Conditional consents are a strict no-no!
  • In case you are offering services to children, (which most of our customers are) parental consents are necessary give them access to your services.

2. Recording Consents

  • Each consent must be recorded for future evidence.
  • You need to keep a record of what statement and how exactly they consented for.

3. Managing Consents

  • All the consents need to be regularly reviewed to make sure that the processes, purpose and relationship with the data subject has not changed. Is the data subject still your customer? Do you have processes and systems in place to update the consents as and when required (including the parental consents)?
  • Make it easy for your customers/ data subjects to withdraw their consents at any time, and publicize how to do so.
  • Act on withdrawals of consent as soon as you can. This can be best done if automated.
  • Don’t penalize your data subjects (example, not letting them have access to your course) if they wish to withdraw their consent.

Please note that for the activities that are essential to provide service to your customers, you do not require specific consent from your customers.

Consent forms one of the six main legal grounds for the lawfulness of personal data processing. Read this to know more – GDPR: legal grounds for lawful processing of personal data.

Why collecting, recording and managing consents is sooo important?

Just in case any of your customer (EU Union citizen) tries to wreck you up (well, they do have the power to wreck you up now), you will have an explicit consent from them recorded in your system.

How can we help you with the aspect of consents?

Well, since most of our customers (cheers to the active ones in our fb group) started to get worried about if we will be GDPR compliant long long ago, we silently started working on making the lives of website owners a little more easy.

Introducing ConsentUp

To all our lovely customers, and external site users who are not our customers:

A solution to store, manage and retrieve user consent.

In order to comply with privacy laws, you need to record the proof of consent. You need to be able to demonstrate that consent was collected.

ConsentUp aims to take care of all the aspects of collecting, recording, storing and managing consents in your site. And that too with full automation effect of withdrawals of consents’ – one of the key requirements of requesting a consent from your customers.

What ConsentUp does?

Effortless policy management and version control

  • Create, store and keep all your public facing mandatory policies up-to-date. Have instant access to all the versions created for each policy on your site. The basic mandatory policies may include Privacy, Terms of use and Essential cookie policy.
  • Create, collect, record and store all the consents within your admin management.
  • Intuitive UI and fully automated systems in place to record the effects of withdrawals of consents.

In short, ConsentUp is going to save you hell lot of time and energy to cater to comply with the most essential aspect of compliance with EU GDPR.

Who can use this app?

  • Invanto platform users
  • External site users with self-hosted domains

Though we could just give our customers an option to create policies like other similar businesses, we wanted to be of literal relief to our customers. so entire Invanto team has taken a little extra (too much) effort to come up with this concept to record and manage consents too.

Integrate ConsentUp with your site and you will have a complete system to record and manage the consents of your students in a go.

No more getting inside the code of your site to re-engineer design to fulfill the requirements of EU GDPR.

Quick Demo of ConsentUp

1. How to manage legal documents of your business

2. How to create consent documents

3. How to map policy documents with your Invanto sites

4. How to manage consents and revocations

Here’s what you should be recording:

  1. When the consent was given
  2. By whom (data subject)
  3. Which legal document they consented

Buckle Up & Become Compliant

  • Keep user consent and privacy preferences in one place
  • Store multiple consents for each user
  • For each consent, track the actual document the user was prompted with
  • For each user, get the historical consents
  • Easy dashboard for your users to manage their consents & revocations

ConsentUp is Available Now

Login to your Invanto account, select the “ConsentUp” from the top right menu, and start making your business compliant.

Related Articles


Your email address will not be published. Required fields are marked *

  1. You guys never stop innovating!!! This is just amazing.
    Already activated for my memberfactory sites. Can’t wait for the WP plugin.
    Invanto Rocks!

  2. This looks really nice. But I have a question. I saw a wordpress gdpr plugin somewhere which allows you create documents. I got an email today from the plugin developer that he will add the same consent log feature. Do we need your app if we have that gdpr plugin?

    1. Trevor – GDPR has hefty fines …up to $20M+ for a reason…not sure if a $20 plugin is good enough to make you compliant.
      GDPR is not only about displaying T&C, or Privacy and recording consents. There’s a lot more to it in terms of database encryption, security, internal DPIAs etc. that you need to take care of. Installing a plugin on your site leaves so many questions unanswered – are you using shared hosting? is your database secure enough? Do you have automated offsite data backups? Do you have database recovery plan in place? What if your site gets hacked, which happens a lot with WP sites? Plus 100 other questions.
      GDPR is a new born baby, and it is going to take some serious shape in coming times. Using WP plugins or anything is fine, as long as you know what you are doing. We strongly suggest to stick with SaaS providers who are technically obliged to provide such compliances, until we all know where GDPR is heading.
      Hope this helps.