Part of a privacy professional’s job is the development of processes and policies to manage the consent of an individual. When someone does consent to their information being processed, there should be a means to record that they have done so and also a way for that individual to revoke their consent or opt-out of processing. However, what often gets overlooked is the idea of what you do when someone declines to opt-in at all.
When someone states that they do not want their information processed, there are a few things to do. First, you should record that non-consent. This allows you to go back and know they opted-out, preventing confusion later where their data may be collected from another source and cross-referenced with an existing database. Things can get messy when you disobey the wishes of a data subject, sending them information when told specifically not to. Small mistakes may be an accident, but it is doubtful that repeated offenses of this nature would be brushed off as simple accidents.
Once you know they opted-out or did not consent, that is not the end of it, however. First, we need to check back on the definition of what personal information is. Each jurisdiction will have a different definition, even if only slightly. The key thing to look for here is what information IS NOT considered PII. The reason this is the case is that you may want to still process information that is not PII. This could be information that is not relatable back to an individual. This means you could still process the general location information about a person, provided it is not specific enough to be related to them. Essentially, you may still have some useful information that was collected that can be processed without the identifying information.
Make sure to consult with your legal team before doing any processing of information. As stated before-hand, making a simple mistake will be seen as more than just an accident in the legal authorities’ opinion. Also, be sure to consider if it is necessary or beneficial to engage in this processing. It may not be useful to know what kind of people are not opting-in or consenting.