The second in our mini-series on the ICO guidance on Consent, published on 2 March 2017, focuses on how the changes to be introduced by the GDPR (General Data Protection Regulation) will impact upon your business and what you can do to pre-empt the changes before their introduction in May 2018.

The GDPR is not just about the change in the definition of "consent." There are conditions for consent that all drive home that the data subject is in control of their data – and this means your organisation must have processes and procedures in place to ensure that the data subject remains in control and your business remains on the right side of the law.

Yesterday, we outlined some of the key changes; today, we look at what business can do to prepare for the implementation of the GDPR.

What do businesses need to do to prepare?

Review your consent mechanisms. For some this may be straightforward, however for others this may be more complex. It will very much depend on the level of understanding your organisation has about what data it collects and processes. There has never been a more important time for an organisation to have a "handle" on what data it has and why, and how the data was obtained – and how it meets the requisite conditions for "fair and lawful processing."

Here are some helpful hints:

  • The mechanisms for obtaining consent need to be clear and prominent – you need to review your terms and conditions and unbundle your consent requests so that they "stand apart from the crowd". The concept of unbundling equally applies to providing the data subject with the option to "pick and choose" what processing they consent to, where possible or appropriate.
  • The GDPR introduces the principle of accountability, which requires that you demonstrate compliance with data protection principles. Keeping records of how a data subject provided your organisation with consent (including keeping records of what you told them at the time) will assist here.
  • Refusal and withdrawal of consent are just as important as providing the consent. If a data subject wants to withdraw their consent, they will have the option to do so at any time and it must be as easy to withdraw their consent as it was to give you it. You will need to review consent notices, to ensure that you comply with this and put in place processes to enable your staff to implement the withdrawal of consent to the processing you carry out. In addition, you need to ensure that your consent notice allows the individual to refuse their consent without detriment and that it doesn't make it a pre-condition of a service you provide (unless necessary).
  • In demonstrating an unambiguous indication of the data subjects' wishes by statement or affirmative action, dispense with the use of the pre-ticked box.

So, in summary, you need to review your processes as to how you currently obtain consent. This means looking at your consent notices to make sure they comply with the following:

  • They are clear and unambiguous.
  • Set apart from your general terms and conditions.
  • Gives the data subject the right to withdraw consent.
  • Doesn't make the consent a pre-condition to delivery of a service.
  • Sets out what data is collected and all processing to be carried out in clear and plain language that is easy to understand and where possible the data subject can select to what they want to consent.
  • You have stated clearly who the data controller is, along with providing information relating to any third parties who will rely on the consents.

And remember, consent is not always the most appropriate lawful basis for processing. In the next part in our mini-series, we consider "is consent always appropriate for data processing?"

Read Part 1: Consent: Getting it right under the new rules #GDPR – Part 1: What is Consent?

Contact our Specialist Compliance and Regulatory Lawyers

MacRoberts' team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation. We pride ourselves on our diverse, resourceful and highly skilled team of compliance and regulatory solicitors, who have substantial commercial and legal experience, delivering a pragmatic and commercial approach to our clients and their businesses.

If you require advice, assistance or representation in relation to the upcoming General Data Protection Regulation obligations or any other compliance and regulatory matters, contact our team today for expert advice tailored to your needs and/or sign up to our newsletter to keep up to date with the latest GDPR news and developments.

© MacRoberts 2017

Disclaimer

The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.