Consent under GDPR – the latest guidance from the ICO

Checklist-01The Information Commissioner’s Office has published its final detailed guidance on consent to help firms with their preparations for GDPR.

Here we look at what this guidance tells us, and what you need to do to comply before the deadline.


GDPR – the final countdown

There are now only days left until the General Data Protection Regulation comes into effect on 25 May.

With this in mind, the ICO has released final guidance aimed at giving firms clarity on the issue of consent. The ICO guidance follows the guidance issued by the European Group of Data Protection Authorities, the Article 29 Working Party.

The Office – the UK’s representative on this Working Party – has previously addressed some of the myths around consent and other aspects of GDPR compliance.

You can read summaries of the myth-busting blogs in GDPR – sorting the myths from the reality and How to separate GDPR compliance myths from reality.

So, what is the definitive guidance on consent – something the ICO calls ‘a hotly debated topic’?

In a new blog on the consent guidance, Steve Wood, Deputy Information Commissioner addresses the myth that ‘We have to get fresh consent from all our customers to comply with the GDPR’.

The blog states:

‘You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.’

How do you know if your processes for consent meet GDPR standards?

How do you even know if you need consent, when there are five other lawful bases for processing data, one of which may be more appropriate for your firm?

Steve Wood makes it clear that ‘No single basis is ‘better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual’.

The Information Commissioner’s Office has a useful lawful basis interactive guidance tool that you can use to identify the most likely lawful basis for your firm’s processing activities.

But if you are using consent as the basis for your data processing, in the words of the ICO, ‘energy and effort must be spent establishing informed, active, unambiguous consent’.

If you have already obtained consent in a way that meets the GDPR guidelines, you may have done enough. The blog says that:

‘Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.’

At the other end of the scale, if your original method of obtaining consent would not have complied with the existing Data Protection Act, it may not be appropriate to ask for fresh consent. So, you also need to check whether your previous or current consent-gathering processes have been compliant.

Emails seeking consent have to be clear – people need to understand what it is they’re consenting to. Ambiguous or unclear requests for consent will not be compliant.

You also need to be open and transparent about how people’s data will be used. The ICO has produced some helpful guidance on this too.

Is email the best approach?

Think about whether email is the best or only way to request consent from your customer base. It may not be. Are there other places where you can embed consent requests – on your website, for instance, or in hard copy mailings – to reach them more effectively?

Where do I go for more information?

The ICO’s GDPR microsite is an excellent source of information, with downloadable tools. The What’s new page gives a summary of developments by date.

If – like many organisations – you’re still getting to grips at this late stage with the practicalities of compliance with the new regulation, you’ll also find our previous blogs helpful. Find out how to avoid some potential GDPR pitfalls in your marketing and explore the implications for regulated firms and for SMEs.

You may also want to find out what efficiencies you may need to make to counteract the increased work the new regulation brings, and how your marketing activity may change as a result.

Make sure you’re prepared for ongoing compliance

The new law takes full effect on 25 May. But compliance with the deadline is just the first step in your GDPR journey. In the coming weeks, we’ll look at what firms need to do to remain compliant and improve their data processing practices in the long-term.

One essential step here is to make sure good governance sits at the heart of your business. With strong processes, you make compliance non-negotiable and embed the good behaviours that steer your firm away from regulatory breaches.

You can read more about how to do this in our whitepaper, How to embed a compliance culture into your business. The whitepaper is free and you can get a copy here.

Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.

New Call-to-action