People sitting in cafeteria.

ICO guidance on consent under the GDPR – the latest

Published on 12 June 2017

The Information Commissioner’s Offce (ICO) ran a consultation on the draft guidance on consent under the General Data Protection Regulation (GDPR) this springtime.

The development

The final form guidance from the ICO is being finalised and is intended to provide practical advice for UK organisations on the changes that will be required to their consent mechanisms as a consequence of the higher standard of consent introduced by the GDPR.

The changes

The changes to the standard of consent under the GDPR reflect a more dynamic idea of consent. The guidance describes consent as “an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away”.

The key elements of consent remain, namely that it must be freely given, specific, informed and there must be an indication signifying agreement. The GDPR strengthens this by requiring that the indication must be unambiguous and involve a clear affrmative action. Several new provisions relating to consent in the GDPR also contain more detailed requirements, meaning that many current practices for obtaining consent will no longer be acceptable under the GDPR.

For processing to be lawful under the GDPR, there is an obligation to identify (and make a record of) the lawful basis for the processing. There are six bases listed in Article 6(1) of the GDPR on “Lawfulness of Processing”, and consent is one of them. The definition and role of consent remains similar to that found under the Data Protection Act 1998 (DPA). What the GDPR does, however, is it expands the DPA standard of consent in several areas.

The key changes of obtaining the consent are as follows:

• giving consent – the GDPR is clearer (when compared to the DPA) that an indication of consent must be unambiguous, prominent, concise and easy to understand
• unbundled – requests for consent should be kept separate from other terms and conditions. In particular, consent should not be a precondition of signing up to a service unless necessary for that service
• granular – separate options to consent should be sought for different types of processing
• named – the individual should be made aware of any third parties to whom his or her personal data will be disclosed. The ICO’s view is that third parties must be listed by name
• documented – records must be kept demonstrating what the individual has consented to (including the specific information given to them) and the date and means of how they consented. Consents should also be kept under review and refreshed if anything changes as an ongoing exercise
• active opt-in – consent must be opt-in consent; there is no such thing as “opt-out consent”. In other words, failure to opt-out cannot be taken to be consent; there needs to be a positive action in order to consent. Various affrmative opt-in methods are outlined in the guidance, including opt-in boxes, signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default
• easy to withdraw – data subjects should be made aware of the right to withdraw their consent at any time as well as the method for doing so. It must be as straightforward to withdraw as it was to give consent
• no imbalance in the relationship – consent will not usually be appropriate where there is an imbalance of power between the individual and controller, in such circumstances consent may not be considered freely given. Therefore, public authorities, employers and other organisations in a position of power are likely to find it more diffcult to get valid consent.

Any practical tips?

There is no requirement to “repaper” or automatically refresh all existing DPA consents in preparation for the GDPR. However, there is a need to review all consents currently in place (along the mechanisms for documentation) in order to ensure they meet the standard expected by the GDPR. So, if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented then you will need to seek fresh GDPR-compliant consent, identifying a lawful basis for the processing, or stop the processing.

Further, organisations will need to ensure that certain mechanisms are in place which allow for individuals to easily withdraw their pre-GDPR consent.

The ICO has helpfully provided a checklist1 at the end of the draft guidance that details the steps that should be taken to seek valid consent under the GDPR. This is a helpful starting point for reviewing current practices. The final form guidance is due to be published by the ICO shortly.

See pages 38-39 of the draft guidance, which can be found here. There is also a helpful “Data protection self-assessment toolkit” for getting ready for the
GDPR that can be found here.

Rather oddly, the draft guidance makes no mention of the new draft ePrivacy Regulations (January 2017), which are due to come into force at the same time as the GDPR. The ePrivacy Regulations directly address consents for marketing, including for Over-the-Top services (ie messaging services) and cookies etc. Interestingly, the ePrivacy Regulations (at least in current draft form) still embrace the concept of the “soft-opt-in” (ie opt-out) when the marketing consent is obtained in connection with the purchase of a product or service. This is somewhat in contrast to the ICO’s clearly stated “active opt-in” approach, and highlights just how much ground the regulators need to cover before 25 May 2018 (GDPR “D-Day”).