The UK Information Commissioner's Office (ICO) has published draft guidance on consent under the General Data Protection Regulation (GDPR), the latest in a string of guidance the ICO intends to publish in the lead up to the GDPR coming into force in May 2018. The purpose of the guidance is to set out the ICO's recommended approach to GDPR compliance, providing practical advice on what counts as valid consent. Whilst the concept of consent is not new, the GDPR expands on the existing Data Protection Act 1998 (DPA) standard, most notably in the mechanisms for obtaining consent. Doing consent well puts individuals in control, builds customer trust and engagement, and enhances organisational reputation but it also avoids exposing your business to substantial fines for non-compliance (up to €20million, or 4% of the organisation's total worldwide annual turnover, whichever is higher).
The guidance reminds businesses that consent is not always required; consent is only appropriate if you can offer people real choice and control over how you use their data – and the lack of real choice will invalidate consent. If you would still process personal data without consent, to ask for it would be misleading and inherently unfair. Organisations should also avoid making consent a precondition of a service. Additionally, consent cannot be freely given where the controller has power over the individual (e.g. public authorities and employers) so another lawful basis that is more appropriate should be considered. It is likely that consent will be necessary under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people's devices.
What form should consent take? Consent must now be unambiguous and involve a clear affirmative action. This requires a positive opt-in; the GDPR specifically bans the use of pre-ticked boxes or other methods of consent by default. Consent requests should not be included in terms and conditions, but instead separated. Vague or blanket consent is not permitted –it should be clear, concise, informed and unambiguous, and explicit consent requires a clear and specific statement of consent, expressly confirmed in words.
The GDPR gives a specific right to withdraw consent at any time, requiring organisations to tell people about this right in a straightforward and accessible way. Once consent has been received, organisations must keep evidence and clear records of consent. In addition, third parties who will rely on the consent must be named, and consent must specifically cover the controller's name, the purposes of processing, and the types of processing activity. A one-off consent request may not be sufficient and there is no set time-limit for consent, and how long it lasts will depend on context. The ICO includes a helpful checklist within the guidance for organisations to consider.
In light of these changes, organisations must check their consent practices and existing consents to ensure they comply with GDPR standards, refreshing those that do not meet it. Going forward, organisations are expected to keep consent under review and make changes as necessary.
Comments on the guidance can be submitted to the ICO via their webpage. The deadline for comments is 31 March 2017. Thereafter, the ICO aims to publish the final guidance in May 2017.
The ICO also intends to publish guidance on contracts and liability over the next couple of months.