The ICO have finally issued their much anticipated guidance on consent under the EU General Data Protection Regulation. The highlights are that consent will require an opt-in and third parties must be specifically named.
The Regulator has opened a consultation on their draft guidance, inviting organisations and consumers to give their feedback by 31st March 2017; it is therefore subject to amendments.
|GDPR definition of consent:
Article 4 (11) “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Perhaps unsurprisingly in the draft guidance the ICO has interpreted the words “unambiguous” and “clear affirmative action” in the GDPR’s definition of consent to mean opt-in. The draft guidance clearly states: “Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default”.
Furthermore, the ICO points out that having an optional email box saying “we will use this to send you emails about our products and special offers”, is arguably still implied rather than explicit consent. It recommends that a clear “I consent to receive emails about your products and services”, with a tick box to opt-in would indicate explicit consent for processing.
The news for organisations which share data with third parties, or which source data from third parties, might be rather challenging, unless significant changes are made between the draft and final version. It had been hoped that naming specific sectors or categories of third parties, with whom personal data may be shared with, would be sufficient for valid consent. However, the ICO states that a key point in order to meet GDPR requirements is “name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under GDPR”
Other ‘lawful grounds’ for processing other than consent
In a move that may offer some relief, the draft guidance does stress that organisations may rely on another lawful basis for processing under GDPR, “consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate”.
Organisations are encouraged to “identify the most lawful basis for processing from the start.”
The five further lawful conditions for processing are:
• A contract with an individual
• Compliance with a legal obligation
• Vital Interests
• A public task
• Legitimate Interests
In the case of Legitimate Interests the draft states: “if you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.”
Following a public consultation on the draft guidance the ICO says it is provisionally aiming to publish the guidance in June 2017, but says it will need to continue to evolve and take into account any guidelines issued by relevant European authorities.
Simon Blanchard, Senior Associate at the data compliance and marketing permissions consultancy Opt-4 says, “This draft guidance on consent has been much anticipated and it’s really no surprise to see the words ‘active opt-in’. So any organisations which have not already taken steps to move to an opt-in consent regime will need to get their thinking caps on and also give consideration to their approach to gaining valid consent from legacy data. There’s also a big impact on indirect consent as the guidance states that third parties the personal data is shared with must be named – giving the specific sectors of organisations the data will be shared with does not appear to be sufficient.”
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.