Out-Law News | 03 Mar 2017 | 2:47 pm | 4 min. read
The UK's Information Commissioner's Office (ICO) has opened a consultation on proposed new guidance (39-page / 258KB PDF0 which addresses changes to rules on consent contained in the General Data Protection Regulation (GDPR), which was finalised last year and applies from 25 May 2018. The UK government has already confirmed the GDPR will be adopted in the UK despite the country moving towards an exit from EU membership.
Data protection law expert Kristina Holt of Pinsent Masons, the law firm behind Out-Law.com, said: "Unlike some other aspects of the GDPR, including the UK's legislative plans for implementing the new rules, the ICO's guidance on consent is open to consultation. This is welcome as it gives businesses and other stakeholders an opportunity to flag concerns or seek clarity on points that they are not sure about. I would recommend businesses spend time familiarising themselves with the consent guidance and take the chance to engage with the ICO."
One of the ways in which organisations can lawfully process personal data is where they have obtained a person's consent to do so. The definition of consent under GDPR is similar to how the term is currently defined under existing EU data protection laws.
However, in its guidance the ICO explained that there are some differences that could require businesses to make changes to the way the obtain consent at the moment.
"You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn," the ICO said.
The new rules put a "greater emphasis … on individuals having clear granular choices upfront and ongoing control over their consent", it said.
The ICO urged businesses to ensure requests for consent are "prominent, concise, separate from other terms and conditions, and in plain language". It said that the use of "double negatives or inconsistent language", or any other "vague, sweeping or difficult to understand" statements, would invalidate consent under the GDPR.
The ICO said organisations should avoid making consent to such processing "a precondition of signing up to a service unless necessary for that service", as consent in those circumstances would not be considered to be 'freely given', as is required under the GDPR. However, it said it could be open to some businesses to "incentivise consent to some extent" as long as they are "careful not to cross the line and unfairly penalise those who refuse consent", it said.
"For example, if joining the retailer’s loyalty scheme comes with access to money-off vouchers, there is clearly some incentive to consent to marketing," the ICO said. "The fact that this benefit is unavailable to those who don’t sign up does not amount to a detriment for refusal."
The ICO also warned businesses that the use of pre-ticked boxes "or any other method of consent by default" is prohibited under the GDPR, and encouraged them to instead use "use unticked opt-in boxes or similar active opt-in methods", where there is a "binary choice" where each option is "given equal prominence".
Businesses should also allow data subjects to provide consent on a granular level for each different types of data processing envisaged "wherever appropriate", as "vague and blanket consent" will be barred under the new regime, it said.
The ICO also urged organisations to inform data subjects of the name of each organisation, including third parties, which would be relying on the consent they are being asked to provide. It warned that businesses that instead list the organisations relying on consent by "precisely defined categories" will not comply with the GDPR.
Businesses will also be expected to retain records proving "what the individual has consented to, including what they were told, and when and how they consented", it said. They should also ensure that individuals can exercise their rights to withdraw consent in a way which is as easy as it was to give that consent, the watchdog said.
The ICO warned that employers are unlikely to be able to rely on consent as a lawful means for processing personal data of staff. This is because of the "clear imbalance of power" employers have in that relationship, it said. Similarly, public authorities are unlikely to be able to rely on consent when dealing with people reliant on their services, it said.
"If you are a public authority or are processing employee data, or are in any other position of power over an individual, you should look for another basis for processing, such as ‘performance of a public task’ if you are a public authority, or ‘legitimate interests’ if not," the ICO said in its guidance.
Examples of how businesses could record consents and what is required within their record-keeping are contained in the ICO's guidance, together with a brief explanation of what the alternatives to consent are for organisations wishing to process personal data under the GDPR.
The ICO's draft guidance is open to consultation until 31 March.
Jo Pedder, interim head of policy and engagement at the ICO, said: "Basing your processing of customer data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable."
"Getting this right should be seen as essential to good customer service: it will put people at the centre of the relationship, and can help build customer confidence and trust. This can enhance your reputation, improve levels of engagement and encourage use of new services and products. It’s one way to set yourself apart from the competition and will be fundamental to the growth of the digital economy," she said.
The Article 29 Working Party, which is a committee of data protection authorities from across the EU, including the ICO, is expected to issue its own guidance on consent under the GDPR later this year.