Information Commissioner's Office
Consent is not the ‘silver bullet’ for GDPR compliance
Blog posted by: Elizabeth Denham, Information Commissioner, 16 August 2017.
Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).
Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.
Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.
Last week I set the record straight on our new fining powers.
My second blog tackles an equally high-profile issue – consent.
You must have consent if you want to process personal data.
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.
Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.
Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.
The new law provides five other ways of processing data that may be more appropriate than consent.
‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working with the other European authorities to publish guidance on it next year.
But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.
Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.
But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.
I can’t start planning for new consent rules until the ICO’s formal guidance is published.
I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.
Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.
Our series will continue next week. Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
Latest News from
Information Commissioner's Office
Man prosecuted and police force given undertaking after sensitive data leak on Twitter19/01/2018 09:10:00
A Kent man who posted sensitive police information on Twitter has appeared in court after he admitted breaking the Data Protection Act.
Company which made 75 million nuisance automated calls in four months is fined by the ICO18/01/2018 09:10:00
A company which made 75 million nuisance calls in four months has been fined £350,000 by the Information Commissioner’s Office (ICO).
Statement in response to reports of Just Eat story17/01/2018 10:20:00
An ICO spokesperson yesterday gave a statement in response to reports of Just Eat story.
Firms behind 44 million spam emails, 15 million nuisance calls and one million spam texts fined by the Information Commissioner’s Office12/01/2018 11:10:00
Four companies that disrupted people with nuisance marketing have been fined a total of £600,000 by the Information Commissioner’s Office (ICO).
Carphone Warehouse fined £400,000 after serious failures placed customer and employee data at risk11/01/2018 09:10:00
Carphone Warehouse has been issued with one of the largest fines by the Information Commissioner’s Office (ICO), after one of their computer systems was compromised as a result of a cyber-attack in 2015.