All businesses should be aware that you need a lawful basis for processing your customers’ personal data. If you rely on consent, then this must be freely given, specific and a clear indication of the individuals’ wishes under the The Data Protection Act 1998 (DPA). However, did you know that the consent regime is changing soon, and you will need to comply with higher compliance standards under the General Data Protection Regulation (GDPR) from May 2018?
To assist organisations to plan for the new regime, the UK’s data protection regulator, the Information Commissioner’s Office (ICO), recently produced draft guidance on 'GDPR consent'.
The ICO’s guidance notes explain that the GDPR’s new standard of consent will require:
- an “unambiguous indication of the data subject’s wishes… by a statement or by clear affirmative action” (the ICO gives a helpful list of some opt-in mechanisms)
- for purposes requiring explicit consent (e.g. processing sensitive personal data), you must obtain consent by an express statement confirmed in words versus other affirmative actions
- a more granular opt-in method for distinct processing operations (applicable if you process personal data for more than one purpose or use different types of processing mechanisms)
- a simple, easy-to-access way for people to withdraw their consent
There are also new requirements for obtaining children’s consent for online services, and consent for scientific research purposes. The ICO is currently preparing separate guidance on children’s privacy.
Here are some more tips to keep in mind:
- silence, pre-ticked boxes, inactivity or blanket acceptance of your terms and conditions will not be deemed as valid consent – remember, failure to opt out is not consent
- consent requests should be separate from other terms and conditions – do not bundle your request with other terms and conditions, e.g. making consent a precondition to the sale of goods if the two are not related
- do not bury your consent request, and use plain English when asking for consent – make your request prominent, and keep it concise and easy to understand
- giving consent should not be a precondition for the service you are providing (unless necessary for the service, in which case examine other potential lawful bases of processing)
- who will rely on the consent? Make sure to name your organisation and any third party organisations who will rely on this (e.g. do not just say “and our third party partners”)
- once you have obtained the individual’s consent, keep clear records for your audit trail and keep these under review
To ensure your business is ready for these GDPR changes you should start reviewing your policies on how you obtain, record and manage consents. The ICO’s guidance notes provide a helpful checklist, and we are also happy to assist you with your planning and implementation activities. Please see our GDPR guide for more information: The General Data Protection Regulations, A Quick Guide
A final word of warning – please pay careful attention to the ICO’s note about the penalties for getting this wrong. Not only may businesses suffer reputational damage, but they could face heavy administrative fines (higher of up to €20 million, or 4% of total worldwide annual turnover)!