The UK Information Commissioner's Office (the "ICO") has recently published a draft guidance (the "Guidance") for data controllers on consent under the General Data Protection Regulation (the "GDPR").
Consent is one lawful basis for processing personal data, and while the bases for lawful processing remain broadly unchanged by the GDPR, the threshold for obtaining consent has been significantly increased. The GDPR requires that consent is informed and unambiguous and given by statement or by a clear affirmative action in relation to non-sensitive personal data and retaining the requirement for explicit consent for sensitive personal data.
The Guidance outlines the key changes to be made by data controllers in practice to ensure this higher threshold for consent is met including recommending that:
- current consent processes and records are reviewed to ensure the GDPR threshold is met;
- requests for consent are separate from other terms and conditions;
- detailed records are maintained to indicate what an individual has consented to;
- any third party processors relying on the data subject's consent are clearly identified in the consent language (broad categories of recipients/disclosees being no longer sufficient); and
- procedures are put in place to ensure it is as easy for a data subject to withdraw consent as it was to provide such consent.
The Guidance highlights the obligation of data controllers to manage consent proactively as a dynamic part of its ongoing relationship with data subjects. It recommends that organisations adopt data subject preference-management tools such as privacy dashboards which some social media providers in particular have already implemented.
The Guidance (available here) forms part of a consultation process that closes on Friday 31 March 2017 following which we expect that final guidance will be published by the ICO in or about May 2017.