ICO guidance: “consent is not the silver bullet for GDPR compliance”
The ICO reiterated that organisations do not necessarily need to obtain fresh consent from all of their customers in order to comply with GDPR.
In the final run-up to the GDPR coming into force, the ICO produced a blog post reiterating the message that consent is not the “silver bullet” for GDPR compliance. This is the latest in a series of “myth busting” guidance notes produced by the ICO, and focuses on an area which has attracted a huge amount of attention in the media and among organisations generally. The ICO, no doubt in response to a flood of last-minute queries on the topic, chose to single this issue out for final clarification ahead of the 25 May deadline.
The key point is that consent is one of six possible lawful bases on which organisations are able to process data, and “no single basis is ‘better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual”.
One of many helpful ICO resources on this point is the “lawful basis interactive guidance tool” which aims to point organisations in the direction of the most appropriate lawful basis for their particular processing activities. This may be consent, but the overriding message from the ICO is that alternatives exist and organisations should consider each of these rather than automatically requiring their customers to provide consent.
Of course, in some instances it will be appropriate to rely on consent, and in those cases it is important to ensure that that consent meets the higher standard required by the GDPR (ie freely given, specific, informed, unambiguous and active). Particular care should be taken if organisations wish to use existing databases which were compiled on the basis of pre-GDPR consent. If that consent meets the (newer, higher) GDPR standard, then organisations can continue to rely on it. Issues arise, however, where that consent does not meet the GDPR standard and organisations attempt to “re-consent” their database. These issues can be avoided entirely if organisations heed the ICO’s advice and rely on alternative grounds for processing data, rather than focusing exclusively on consent.
Other useful takeaways from the guidance include:
- if consent under the Privacy and Electronic Communications Regulations 2013 (PECR) is required to send a marketing message, then in practice consent will also be the appropriate lawful basis under the GDPR. However, if PECR does not require consent for marketing, the data controller may be able to consider legitimate interests instead;
- consent is also unlikely to be the most appropriate lawful basis for processing if a data controller requires the individual to agree to processing as a condition of service. If so, the most appropriate lawful basis is likely to be “necessary for the performance of a contract”; and
- obtaining parental consent for any child under the age of 13 means implementing age-verification measures and making “reasonable efforts” to verify parental responsibility.
Why is this important?
Based on the number of slightly panicky emails that were being sent out at the eleventh hour asking customers to “re-consent” ahead of GDPR, this is clearly a topic that has got organisations of all shapes and sizes worried. This is in many ways understandable – getting consent wrong can be costly, as the fines handed out to Honda, Flybe and Morrisons demonstrate (and much has been said about the increased fines under GDPR, which only serves to increase the pressure on organisations). However, the ICO has repeatedly conveyed a message of reassurance that the GDPR is not intended to hunt out offenders and punish them with astronomical fines, and the latest message on consent follows this trend. The ICO said that “scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR”.
Again, however, getting consent wrong (particularly any attempt to rely on consent that has been obtained as a pre-condition to the provision of a service) can be costly; we can see the ICO recognizing that organisations may not have appreciated that more appropriate alternatives exist which, if relied on, would not have the effect of depriving the individual of genuine ongoing choice and control.
Any practical tips?
If to be relied upon, existing consents should be reviewed to ensure that they meet the GDPR standard. For example, have pre-ticked boxes been used? The regulators have made it clear that now, only an active, opt in tick box will do (similarly, explicit consent must be clearly and expressly confirmed in words). Consent should also be granular, with separate consents matched to separate processing purposes. The right to withdraw consent must be clear in any consent request. Demonstrating consent has been obtained is key to its validity and recording and documenting the process must be equally granular. Above all, remember that you should ask yourself in the first place whether another lawful basis altogether might be more appropriate.
The ICO’s practical examples
- A credit card company asks for consent for personal data to be sent to credit reference agencies.However, when an individual withdraws their consent, the company still sends the data to the agencies on the basis of “legitimate interests”.Here, there was no real choice for the data subject to begin with.As such, “legitimate interests” should have been used from the start.
- A café provides free wifi, but individuals need to provide their name, email address and phone number, and agree to the café’s T&Cs, in order to access the network.Within the T&Cs it states the customer consents to receiving marketing communications from the café.This means consent to direct marketing is a condition of accessing the service.However, collecting the personal data for direct marketing purposes is not necessary to provide the wifi and so this is not valid consent.
- An individual places their business card into a prize draw box in a coffee shop.This act clearly indicates the individual agrees to their name and contact number being processed for the prize draw.However, this consent does not extend to using those details for marketing or another purpose; a different lawful basis would be needed in order to do so.