The Information Commissioner’s Office (ICO) has published its first detailed guidance for the GDPR (General Data Protection Regulation), relating in this instance to the topic of consent. The consultation closes on 31 March 2017.
The concept of consent is not new, but the GDPR sets higher standards, requiring significantly more detail on both the standard and processes for consent. One of the essential elements in the new regulation is the requirement for explicit consent, supported by a very clear and specific statement. No more preselected tick boxes!
You will need clear and more “granular” opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. The key elements of the consent definition remain – it must be freely given, specific, informed, and there must be an indication signifying agreement. The GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action. Also, the data subject has only agreed to activities as outlined in the consent statement (which should be recorded), and nothing more. If activities with the use of personal data are planned to change then the data controller will need to review existing consent statements to ensure the new activity can be included and if not to issue revised consent statements before the new activity begins - this includes the recording of these revisions to consent against the records they hold on data subjects.
Any organisation that does business with EU citizens, whether processing and storing personal data inside or outside the EU, must comply with the GDPR's expanded and more stringent data protection rules by 25 May 2018.
The ICO guidance states that you are not required to automatically refresh all existing DPA consents in preparation for the GDPR, however, the new Regulation is clear that where consent has been given under the Data Protection Directive, it will only be valid if it also meets the requirements under GDPR. Therefore, you will need to be confident that your consent data already meets the new requirements. You will also need to put in place mechanisms for individuals to withdraw their consent quickly and easily. If existing consent data does not meet the GDPR’s higher standards or are poorly documented, you will need to seek fresh GDPR-compliant consents, or possibly stop the data processing.
The ICO’s GDPR consent guidance includes a checklist (see last 2 pages) that helps to determine whether you need to make improvements to your processes surrounding the asking for consent, and the recording and managing of consent. This checklist will also help to determine whether you need to ask for new consent. We recommend that firms start to address this whole issue very soon, to ensure they can meet the 25 May 2018 deadline for compliance.
If you need any further clarification on the above or advice generally, please do not hesitate to get in contact.
For more information
Roundup and Commentary: GPDR and Consent
< Back to News & insight