On 2 March 2017, the ICO issued a consultation on its draft "GDPR Consent Guidance", (the "Guidance") and this ended on 31 March.
We will report fully once the final guidance is published, but key points to note are as follows:
- the GDPR standard of consent is higher than under current data protection law;
- consents must be informed, unambiguous and communicated by an affirmative action – so no pre-ticked boxes;
- consent must be granular, split down for each different purpose you wish to rely on consent as a legal ground, and separate to the terms and conditions;
- if your current consent doesn’t meet the GDPR standard, it won't be a valid consent come 25 May 2018; and
- technically, this Guidance relates to consent as a legal ground to processing personal (and sensitive personal) data. There are other times you may need to obtain consent under the GDPR – for example on profiling. Chances are similar principles will apply.
Of key relevance to the insurance sector is the position that consent should not be a precondition of a service. The challenge for the insurance sector is that the only legal ground for the majority of its processing of sensitive personal data, particularly health data, is 'explicit consent'. As an insurance policy cannot be provided without processing such information, the consent will have to be "conditional"; that is individuals will have to be told that if they do not consent, they cannot take out the policy.
We have worked with the LMA, ABI, IUA, LIIBA, BIBA and BIPAR to produce a response to the ICO, requesting guidance on conditional consent and suggesting the ICO could use an insurance sector example.
In a two-pronged attack, the same insurance industry bodies have also contacted DCMS to request an additional ground for the processing of sensitive personal data by the insurance sector, to avoid its over-reliance on explicit consent.
Organisations should monitor the Guidance and any further communications from the ICO.
In particular, organisations should note the key points arising out of the Guidance and consider what changes will need to be made to current consent practices used to ensure compliance.
Please click here to read the Guidance.