One of the most difficult aspects of the General Data Protection Regulation (GDPR) is the obtaining of an individual’s consent to the processing of their data. The Information Commissioner’s Office (ICO) has just issued draft Guidance which puts more flesh on the bones of GDPR’s requirements in this area.
The first thing to note is that this is only draft Guidance. The consultation period in respect of it runs until 31 March 2017. The ICO indicates that thereafter it will aim to publish finalised Guidance by May 2017. However, a further word of caution is sounded by the ICO in that the Guidance might be subject to any guidelines issued by the collective body of European Data Protection Regulators, the Article 29 Working Party.
Despite this, the draft Guidance is broadly helpful and useful in our view. Here are the main themes:
More focus on other grounds to process data
The ICO recognises that GDPR sets a high standard for consent and it will not be easy to obtain. The ICO therefore encourages organisations to look at other possible grounds for processing data where those are the real bases for the processing, such as the legitimate interests of the data controller or processing necessary for the performance of a contract. This is particularly the case in the context of employees where the ICO notes it will be very difficult to say employees can ever consent in terms of having any real choice. The ICO also points out that organisations should not be seeking consent where processing would still be conducted without it, as to do so would be misleading and “inherently unfair”.
What is “explicit consent”?
A big question in GDPR is what is the difference between ordinary consent and explicit consent? Explicit consent can be needed, for example, when processing special categories of data like health related information. Here the ICO says “explicit” means that consent must be expressly confirmed in words, rather than being implied from any other positive action. As for ordinary consent, this must be opt-in, such a positively ticking a box or clicking a link, signing a consent statement, confirming an agreement to an email requesting consent, oral confirmation (remembering that this must be properly recorded) or choosing between binary yes/no options. Silence, pre-ticked boxes, opt-out boxes or inactivity will not be sufficient.
Consent clauses should be very clear
When seeking consent to data processing the ICO says that the relevant terms must be kept separate from other terms and conditions. When explicit consent is required this should be kept separate from other consents. Consent should also be sought in a granular way. Unless it would be confusing, each purpose and each type of processing requires a separate consent rather than one tick box for all processing. If it needed to be said, the ICO is highlighting that Privacy Notices given to individuals are likely to require a fundamental overhaul in order to satisfy the stringent requirements of GDPR.
Does data need to be re-consented?
The ICO makes clear that consents obtained under the current regime may not be sufficient for GDPR. In that case the data will need to be re-consented before May 2018 or another ground of processing found to legitimise its continued processing.
The record keeping burden will be strict
The ICO says that evidence of consent kept on spreadsheets summarising when it was given will not be enough. Records of the actual consent will need to be kept. Where consent is given orally a note should be made and retained.
Other key points
The ICO makes other points which are apparent from the text of GDPR, such as consent should not be a pre-condition of signing up to a service unless necessary for providing that service and consent should be easy to withdraw.
Where do we go to from here?
There is a degree of unreality to these requirements in terms of individuals being prepared to go through consent provisions in this level of detail. The ICO is right to recognise that organisations will therefore have to focus much more on other grounds to legitimise processing. Do not forget however that those grounds need to be properly assessed and recorded (a point the ICO emphasises) and Privacy Notices will still need to be issued to the affected individuals so that they are aware of what is being done with their data and the basis for it.
There is also a degree of frustration that these Guidelines are taking so long to produce and finalise. Given the magnitude of the task, many organisations have already begun to seek consent in a GDPR compliant way or re-consent existing data.
At least there is an opportunity to provide on these draft Guidelines.