The Information Commissioner’s Office (ICO) has published its draft guidance on consent for the General Data Protection Regulation.
The guidance is out for consultation, with responses required by 31st March 2017.
Remind me - what is the GDPR?
The General Data Protection Regulation is a European Union regulation. It aims to strengthen and increase consistency in data protection for individuals within the EU. It also governs the export of personal data outside the EU.
It will replace the 1995 EU data protection directive (officially Directive 95/46/EC) and the UK Data Protection Act 1998 (DPA) when it comes into force on 25 May 2018.
The new regulation will affect any firm that:
- Possesses or processes data pertaining to an identifiable person
- Contacts those individuals via email, phone, SMS or mail
- Tracks their engagement via e-shots, cookies, or landing pages for the purpose of profiling an individual
In other words, it impacts pretty much every B2B and B2C business.
You can read more about the regulation and what it means for firms here.
Although it’s an EU regulation, it seems that the imminent Brexit is no reason to stop preparations. In spite of the UK’s upcoming departure from the Union, the relatively short deadline for GDPR compliance means that marketers need to assume it’s ‘business as usual’ in terms of working to meet the requirements.
And with commentators asking whether the new rules have the potential to be the next PPI scandal, firms would be wise to get on the front foot.
What is 'consent' in the context of the GDPR?
The ICO states in its consultation document that ‘The GDPR sets a high standard for consent’.
The draft guidance sets out:
- The ICO’s recommended approach to compliance
- What counts as valid consent
And includes information to help firms decide when to rely on consent, and when to look at alternatives.
What does the ICO document clarify?
The consultation paper gives more information on:
- when and how consent should be the basis for processing data
- The other five legal bases for data processing, which are:
- Having a contract with the individual: for example, to supply goods or services they have requested, or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- The need for compliance with a legal obligation: if you are required by UK or EU law to process the data for a particular purpose, you can.
- Vital interests: you can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- A public task: if you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can.
- Legitimate interests: if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
The last of these – ‘legitimate interests’ is likely to be of interest to marketers.
The fact that firms can contact individuals for ‘a genuine and legitimate reason (including commercial benefit)’ could be seen as a green light for direct marketing under the new rules.
This is certainly the way the Direct Marketing Association has read it. In its response to the consultation, DMA CEO Chris Combemale said that:
"The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.”
The ICO document also clarifies how long consent lasts, clearly stating that its duration is based on the context in which it was given.
This will also be welcomed by marketers – and by the DMA, who said:
"The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance.”
What changes will marketers need to make to comply with GDPR?
The ICO guidance sums up the requirements as follows. Consent:
- must be freely given; this means giving people genuine ongoing choice and control over how you use their data.
- must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
- requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly.
- should be obvious and require a positive action to opt in.
- must be expressly confirmed in words, rather than by any other positive action.
- There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.
What happens next?
If you want to contribute to the consultation, you can download the Consent Guidance Consultation Document from the ICO’s website and either email or post it back to them (details for both are in the document).
The ICO will then collect and analyse the results of the consultation. It is hoping to publish its guidance in May 2017, (depending on any developments at a European level that it needs to take into account). The guidance will be published on the ICO’s website once ready.
Stay on the front foot in terms of marketing compliance
The GDPR is just one of the compliance challenges facing regulated marketing teams. You can ensure your activity is compliant with all the current regulations by reading our Marketing Guide to Compliance. This comprehensive guide has everything marketers need to know about financial promotions. Download your free copy here.