On 2 March, the ICO issued draft GDPR Consent Guidance for consultation. The draft guidance details the requirements for consent and how consent can be obtained and managed. Responses to the consultation can be submitted to the ICO until 31 March 2017.
One of the key changes that the GDPR will bring in is the enhanced requirement for consent and the consequent need for businesses to review, and in many cases revise, their consent mechanisms.
Under the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
The high bar for consent under GDPR means that businesses will have to have in place specific, granular, clear and unambiguous opt-in methods for obtaining consent, along with good records, regular reviews and easy ways for people to control and withdraw their consent. Blanket consent, pre-ticked boxes and consent by default will not suffice. The ICO describes consent as “an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”.
The guidance highlights that consent is not the only lawful basis available for processing personal data. There are in fact six lawful bases for processing personal data which includes processing for legitimate interests. The guidance sets out scenarios where consent is an inappropriate basis for processing e.g. where a business would still process personal data under a different legal basis if consent was refused or withdrawn or where the business is in a position of power over the individual such as an employment relationship. If a business is struggling to meet the requirements for consent this is also likely to indicate that consent is not the appropriate basis for processing. However, consent is still likely to be needed for most marketing calls and SMS and where cookies and online tracking devices are being used.
There is no avoiding the requirements for consent under GDPR so businesses are encouraged to get it right as a way of enhancing reputation and gaining trust and a competitive edge.
If you have any further questions please contact Sarah Williamson on [email protected].
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.