The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and bearing in mind the preparation required to be ‘GDPR ready’, the date is fast approaching. One of the challenging aspects of the GDPR is the higher standard now required for obtaining an individual’s consent to the processing of their personal data, which is one basis for the lawful processing of personal data. The recently published draft guidance by the UK Information Commissioner’s Office (ICO) on obtaining consent is a welcome update for businesses as they revisit their approach to processing personal data to get ready for the GDPR.
The guidance summarises the key changes as follows:
- Businesses will need to keep consents separate from their other terms and conditions. Consent cannot be a precondition to signing up to a business’s services.
- Pre-ticked opt-in boxes will be banned.
- Businesses will need to keep accurate records to demonstrate consent.
- Individuals will have the right to withdraw their consent to the processing of their data at any time and must be made aware from the outset how they can do that.
Businesses will need to review any consents obtained prior to May 2018 in accordance with the Data Protection Act 1998. The ICO have indicated in their guidance that if the consent complies with the GDPR standard there is no need to obtain new consent. However, if the process by which the consent was obtained does not meet the new standard, a fresh consent will be required.
The Article 29 Working Party has promised to issue guidance on this same topic later this year, so it will be interesting to see what further clarity their guidance will add. The clear message from the ICO is that individuals are going to have stronger rights under the GDPR and businesses are going to need to start assessing their current procedures to ensure compliance.