The Information Commissioner’s Office has published draft guidance as to how consent must be obtained once the GDPR comes into force in May 2018.
The guidance is currently out for consultation. Marketers have until March 31 to respond.
The GDPR builds on the Data Protection Act (DPA) standard of consent in several areas, and raises the bar significantly. Compliance means giving individuals genuine choice and ongoing control over how their data is used. Organisations must be transparent and accountable.
The ICO’s draft guidance explains its recommended approach to compliance and what counts as valid consent. It provides practical help to decide when to rely on consent, and when to look at alternatives. It also explains the key differences with the DPA and gives advice about existing DPA consents.
The main changes that marketers will need to consider are:
- Unbundled: asking for consent should be separate from other terms and conditions so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
- Active opt-in: the GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
- Granular: where there are various types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to.
- Named: always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations the data will be shared with need to be named.
- Documented: maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
- Easy to withdraw: individuals should be easily able to withdraw their consent. Organisations must put in place simple and fast methods for withdrawing consent. Tell individuals about their right to withdraw consent.
- No imbalance in the relationship: This point is less relevant for marketing but consent should be freely given and where this is a power imbalance between an organisation and an individual this will be hard to achieve. For example, the relationship between an employer and employee is an obvious power imbalance.
On page 11 of the guidance the ICO points out that consent is not the only legal grounds to process personal data, and if consent is difficult to use then an organisation should consider using different legal grounds.
Use of third party data is greatly affected by the guidance. This builds on the Optical Express case, where the ICO ruled that organisations need to name specific sectors an individual’s personal data will be shared with.
The ICO now says personal data can only be shared with named third parties.
It is the ICO’s intention to publish its guidance in May 2017, following the consultation and subject to developments at the European level. The Article 29 Working Party, which will become the European Data Protection Board, could have a different interpretation to the ICO which may lead to revisions.
Speaking about the draft guidance Chris Combemale, CEO of DMA Group, said: “The ICO has given greater clarity as to when and how consent should be the basis for processing data and highlighted the other five legal bases for data processing, including legitimate interest.
“The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.
“The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance. At the same time we have concerns around some of the specific guidance around consent and will share our views robustly during the consultation period.”
The DMA is now gathering feedback from the industry as part of the ICO’s consultation and welcomes any comments. Please contact firstname.lastname@example.org to contribute.