Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
ICO guidance on consent to data processing under the GDPR
The ICO has published a draft of its guidance on the new consent requirements under the GDPR.
Ahead of the General Data Protection Regulation (GDPR) coming into force in May 2018, the Information Commissioner’s Office (ICO), the UK’s regulatory body for upholding information rights, has committed to publishing topic-specific guidance on GDPR throughout 2017. The consent guidance is the first such guidance note to be published (draft Guidance).
Consent is one of the six lawful bases for the processing of personal data under both the current law and the GDPR. Whilst consent is required for certain types of processing, it is often not a preferred basis for Data Controller’s, due to the difficulties in ensuring that the consent that an organisation is relying upon meets the high standards required by European data protection laws.
Changes to the current law
Under the GDPR, the definition of consent remains similar to the definition under the current law (Directive 95/46/EC). Two main additions require that consent is “unambiguous” and given “by a statement or by a clear affirmative action”.
However, as the draft Guidance emphasises, the standard of consent under the GDPR is higher than the current law and requires that individuals have “clear granular choices upfront and ongoing control over their consent”.
The ICO views consent as an “organic, ongoing and actively managed choice” and not as a “one-off compliance box to tick and file away”. The ICO therefore recommends that organisations invest in preference management tools such as privacy dashboards to allow individuals to easily control how their personal data is processed.
Helpfully, the draft Guidance sets out the key points on consent under the GDPR. These are the requirements which organisations will need to ensure they have met in order to rely on consent as a basis for lawful processing.
Consent must meet the following requirements:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g. a binary choice given equal prominence).
- Granular: give granular options to consent separately to different types of processing wherever appropriate.
- Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
“There is no such thing as ‘evolving’ consent”
The draft Guidance is clear that organisations can continue to rely on existing consent only where it was given in line with GDPR requirements.
Any existing consent which does not or cannot be demonstrated to meet the high standards of the GDPR should not be relied upon and either fresh consent must be sought, an alternative basis be relied upon, or processing must be stopped. If the detail of the processing changes, the consent will not be specific enough and therefore cannot be relied upon.
The new higher standard of consent is one of the areas of the GDPR which may prove popular among individuals but create a heavy compliance burden for organisations.
The requirement that any consents which do not meet the high standards of the GDPR should be refreshed will be problematic for some organisations. Many organisations will be required to reobtain consent or assess if they should in fact be relying on an alternative lawful basis for processing. Such an assessment can be very complex and may require expert legal advice.
The ICO has received over 300 responses to the draft Guidance, which is set to be published in final form in June 2017. The ICO has stated that this proposed date may be affected by developments at the European level. In parallel, the Article 29 Working Party, a body made up of European data protection regulators, is set to release its own consent guidance later this year.
This blog post was written by Amelia Day, trainee solicitor at White & Black.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.