The Information Commissioner’s Office (“ICO”) has opened for consultation its draft guidance on consent under the General Data Protection Regulation (“GDPR”). The ICO is accepting responses until 31 March 2017.
The ICO has published its first piece of subject-specific GDPR guidance for public consultation. The guidance concerns consent under the GDPR and the ICO hopes to gather the views of stakeholders and the public in order to inform the final version of the guidance (provisionally aiming to publish in May 2017).
For processing to be lawful under the GDPR, there is an obligation to identify (and make a record of) the lawful basis (the “Condition”) for the processing. There are six Conditions listed in Article 6(1), and consent is one of them. The role of consent as a Condition is not something that is being introduced by the GDPR; the definition and role of consent remains similar to that found under the Data Protection Act 1998 (“DPA”). What the GDPR does, however, is expand the DPA standard of consent in several areas.
The key changes are as follows:
- Giving consent: the GDPR is clearer (when compared to the DPA) that an indication of consent must be unambiguous and involve a clear affirmative action.
- Unbundled: requests for consent should be kept separate from other terms and conditions. In particular, consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: consent must be opt-in consent; there is no such thing as ‘opt-out consent’. In other words, failure to opt-out cannot be taken to be consent; there needs to be a positive action in order to consent. Further, pre-ticked opt-in boxes are invalid; a party cannot rely on silence or default settings to obtain consent.
- Granular: obtain separate consent for different types of processing wherever appropriate.
- Named: the individual should be made aware of any third parties to whom his or her personal data will be disclosed. The ICO’s view is that third parties must be listed by name - “precisely defined categories of third-party organisations will not be acceptable under the GDPR”.
- Documented: records must be kept demonstrating what the individual has consented to (including the specific information given to them) and the date and means of how they consented. Consents should also be kept under review and refreshed if anything changes. Consent should be seen as an ongoing and actively managed choice, not as a one-off box-ticking exercise.
- Easy to withdraw: data subjects should be made aware of the right to withdraw their consent at any time as well as the method for doing so. It must be as straightforward to withdraw as it was to give consent.
- No imbalance in the relationship: consent will not usually be appropriate where there is an imbalance of power between the individual and controller, in such circumstances consent may not be considered freely given. Therefore, public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consent (instead, they should look to rely on an alternative Condition).
Consequences for existing consents
There is no requirement to obtain fresh consents for all existing DPA consents in preparation for the GDPR. However, there is a need to review all consents currently in place (along with how consents are currently documented) in order to ensure the standard expected by the GDPR is met. Furthermore, organisations will need to ensure that certain mechanisms are in place which allow for individuals to easily withdraw their pre-GDPR consent (and incorporate such measures where this is not the case).
If existing DPA consents do not meet the standard set by the GDPR or have not been sufficiently recorded, fresh GDPR-compliant consent will need to be sought, or a different Condition for processing (ensuring that the continued processing is fair) will need to be identified. Otherwise, processing must be stopped.
The ICO has helpfully provided a checklist at the end of the draft guidance that details the steps that should be taken to seek valid consent under the GDPR. This checklist is a helpful starting point for reviewing existing consents.
Although the ICO plans to publish the guidance in its final form by May this year, it has stated that this timescale may be affected if it needs to take account of developments at European level. The ICO also indicated that it is currently working with its European counterparts (as part of the Article 29 Working Party) to produce further guidelines on consent later in 2017.