The Information Commissioner’s Office (ICO) has published its first detailed guidance for the GDPR (General Data Protection Regulation), relating in this instance to the topic of consent. The consultation closes on 31 March 2017.

The concept of consent is not new, but the GDPR sets higher standards, requiring significantly more detail on both the standard and processes for consent. One of the essential elements in the new regulation is the requirement for explicit consent, supported by a very clear and specific statement. No more preselected tick boxes!

You will need clear and more “granular” opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. The key elements of the consent definition remain – it must be freely given, specific, informed, and there must be an indication signifying agreement. The GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action. Also, the data subject has only agreed to activities as outlined in the consent statement (which should be recorded), and nothing more. If activities with the use of personal data are planned to change then the data controller will need to review existing consent statements to ensure the new activity can be included and if not to issue revised consent statements before the new activity begins - this includes the recording of these revisions to consent against the records they hold on data subjects.

Any organisation that does business with EU citizens, whether processing and storing personal data inside or outside the EU, must comply with the GDPR's expanded and more stringent data protection rules by 25 May 2018.

The ICO guidance states that you are not required to automatically refresh all existing DPA consents in preparation for the GDPR, however, the new Regulation is clear that where consent has been given under the Data Protection Directive, it will only be valid if it also meets the requirements under GDPR. Therefore, you will need to be confident that your consent data already meets the new requirements. You will also need to put in place mechanisms for individuals to withdraw their consent quickly and easily. If existing consent data does not meet the GDPR’s higher standards or are poorly documented, you will need to seek fresh GDPR-compliant consents, or possibly stop the data processing.

Adding to the complexity of determining the changes to ensure compliance with the GDPR, we are anticipating the final text of the proposed ePrivacy Regulation. The EC plans to implement this Regulation at the same time as the GDPR. This Regulation will likely bring limitations on "soft opt-ins", a clearer distinction made for B2B communications, and further restrictions on the use of cookies.

The ICO’s GDPR consent guidance includes a checklist (see last 2 pagesthat helps to determine whether you need to make improvements to your processes surrounding the asking for consent, and the recording and managing of consent. This checklist will also help to determine whether you need to ask for new consent. We recommend that firms start to address this whole issue very soon, to ensure they can meet the 25 May 2018 deadline for compliance.

If you need any further clarification on the above or advice generally, please do not hesitate to get in contact.

Jackie Wright

For more information
Jackie Wright
Senior Regulatory Compliance Consultant

< Back to News & insight

Related

27 March 2017

Roundup and Commentary: PRIIPs and KIDS - Revised RTS

Following on from our update in the last edition of OAC Digest Roundup and Commentary Edition, there have been further significant developments in Europe.  On 8 March the European Commission adopt...

27 March 2017

Roundup and Commentary: Lifetime ISA Revisions

The Financial Conduct Authority has published FCA Policy Statement PS17/4: “Handbook changes to reflect the introduction of the Lifetime ISA: Feedback on CP16/32 and final rules”.  The FCA has, in...