The Information Commissioner's Office (ICO) has published for consultation draft guidance on consent under the General Data Protection Regulation (GDPR).
The guidance is intended to provide practical advice for UK organisations on the changes that will be required to their consent mechanisms as a consequence of the higher standard of consent introduced by the GDPR.
The changes to the standard for consent under the GDPR reflect a more dynamic idea of consent. The guidance describes consent as 'an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away'.
The key elements of consent remain, namely that it must be freely given, specific, informed and there must be an indication signifying agreement. The GDPR strengthens this by requiring that the indication must be unambiguous and involve a clear affirmative action. Several new provisions relating to consent in the GDPR also contain more detailed requirements, meaning that many practices for obtaining consent which are used currently will no longer be acceptable under the GDPR.
Before examining the requirements for valid consent, the guidance tackles the question of whether or not consent is actually the best approach for legitimising data processing. Since the GDPR sets a high standard of consent, the ICO recognises that consent will not always be easy to obtain. Consent is one of six lawful bases for processing data under the GDPR and the ICO encourages organisations to consider the alternatives.
Although consent can build customer trust and engagement, if your organisation is not able to offer a genuine choice, the ICO states that consent will not be appropriate. This may be the case if you could still process the data without consent on a different lawful basis, or you require consent as a precondition for accessing your services. In these circumstances, an alternative basis should be considered.
Consent will also be inappropriate if there is an imbalance in the relationship between the individual and the controller, since the consent will not be freely given. The ICO points out that this will make consent particularly difficult for public authorities and employers, who should avoid relying on consent.
The key elements of obtaining a valid consent are as follows:
In order to demonstrate compliance, an effective audit trail must be created to evidence how and when consent was given, what individuals were told at the time and how they consented. Simple withdrawal mechanisms must be put in place, to ensure that it is as easy to withdraw as it was to give consent.
Consents should be kept under review and organisations should consider whether to automatically refresh consent at appropriate intervals. If in doubt, the guidance recommends refreshing consent every two years.
Will you be required to 'repaper' or refresh all existing consents under the Data Protection Act in preparation for the GDPR? The answer is probably yes. Although there is no express requirement to do so, in practice you will only be able to continue to rely on any existing consent if you are satisfied that your consent requests already met the GDPR standard and are properly documented. If your existing DPA consents are poorly documented or do not meet the GDPR's higher standards, you will need to decide whether to seek fresh consent, identify a different lawful basis for your processing or stop the processing.
As well as setting out the steps you should take to obtain fresh consents, the ICO's consent checklist should help you to decide whether existing consents meet the GDPR standard.
The ICO plans to publish a final version of the guidance in May 2017, following a short consultation on the draft guidance until 31 March. Thereafter, the guidance will be kept under review and updated to take account of future guidelines issued by the European authorities, as well as to reflect experience with the GDPR once in force.