Information Commissioner's Office
Consent is not the ‘silver bullet’ for GDPR compliance
Blog posted by: Elizabeth Denham, Information Commissioner, 16 August 2017.
Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).
Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.
Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.
Last week I set the record straight on our new fining powers.
My second blog tackles an equally high-profile issue – consent.
You must have consent if you want to process personal data.
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.
Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.
Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.
The new law provides five other ways of processing data that may be more appropriate than consent.
‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working with the other European authorities to publish guidance on it next year.
But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.
Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.
But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.
I can’t start planning for new consent rules until the ICO’s formal guidance is published.
I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.
Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.
Our series will continue next week. Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
Latest News from
Information Commissioner's Office
International Conference of Information Commissioners highlights need for greater transparency in contracted-out public services25/09/2017 13:20:00
The 10th International Conference of Information Commissioners has passed a resolution aimed at tackling a key challenge for access to information frameworks around the world – the growth in contracted-out public services.
Automated call crackdown continues as ICO fines firm for 16.7 million illegal calls about boiler grants21/09/2017 16:20:00
The Information Commissioner’s Office (ICO) has fined Coventry firm Easyleads Limited £260,000 for making 16.7 million automated marketing calls.
ICO hosts international conference on future of access to official information20/09/2017 14:20:00
'Trust, transparency and progressive information rights' is the theme of a global conference jointly hosted by the ICO and the Office of the Scottish Information Commissioner today.
Firm fined £350,000 for making record 146 million nuisance calls18/09/2017 10:25:00
A company behind a record high 146 million illegal calls about PPI has been fined £350,000 by the Information Commissioner’s Office (ICO).