All businesses should be aware that you need a lawful basis for processing your customers’ personal data. There are a number of lawful bases for processing personal data, which can include having a contract to supply services to your customers and can include consent. If you rely on consent, then this must be freely given, specific and a clear indication of the individuals’ wishes under the the Data Protection Act 1998 (DPA). However, did you know that the consent regime is changing soon, and you will need to comply with higher compliance standards under the General Data Protection Regulation (GDPR) from May 2018?
To assist organisations to plan for the new regime, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), recently produced draft guidance on 'GDPR consent'.
The ICO’s guidance notes explain that the GDPR’s new standard of consent will require:
o an “unambiguous indication of the data subject’s wishes… by a statement or by clear affirmative action” (the ICO gives a helpful list of some opt-in mechanisms)
o for purposes requiring explicit consent (e.g. processing sensitive personal data), you must obtain consent by an express statement confirmed in words
o a more granular opt-in method for distinct processing operations (applicable if you process personal data for more than one purpose or use different types of processing mechanisms)
o notification of the right to withdraw and a simple, easy-to-access method for withdrawal
There are also new requirements for obtaining children’s consent for online services, and consent for scientific research purposes. See the ICO website for separate guidance on children’s privacy.
Here are some more tips to keep in mind:
o silence, pre-ticked boxes, inactivity or blanket acceptance of your terms and conditions will not be deemed as valid consent – remember, failure to opt out is not consent
o consent requests should be separate from other terms and conditions – do not bundle your request with other terms and conditions, e.g. making consent a precondition to the sale of goods if the two are not related
o do not bury your consent request, and use plain English when asking for consent – make your request prominent, and keep it concise and easy to understand
o giving consent should not be a precondition for the service you are providing (unless necessary for the service, in which case examine other potential lawful bases of processing)
o make sure to name your organisation and any third party organisations who will rely on this (e.g. do not just say “and our third party partners”)
o once you have obtained the individual’s consent, keep clear records for your audit trail and keep these under review
Where you maintain data sets for email marketing purposes that data may become unlawful to use, after the GDPR starts being enforced in May of 2018, unless the email addresses were collected using consent wording that is also compliant with the new requirements.
To ensure your business is ready for these GDPR changes you should carry out an audit of your data processing activities that would include reviewing your policies on how you obtain, record and manage consents. .
You should also check that the contracts you have with any IT service providers take account of the data protection regime we will all be operating under the GDPR, particularly around liability limits and data transfers.
We are happy to assist you with your planning and implementation activities. Please see our GDPR guide for more information: The General Data Protection Regulations, A Quick Guide
A final word of warning – please pay careful attention to the ICO’s note about the penalties for getting this wrong. Not only may businesses suffer reputational damage and legal action from individuals but they could face heavy administrative fines (higher of up to €20 million, or 4% of total worldwide annual turnover) and costly enforcement orders from the ICO!