In light of the much anticipated ICO draft GDPR (the General
Data Protection Regulation) Consent Guidance being published
yesterday, 2 March 2017, we will be running a mini-series on the
guidelines under consultation and the impact the GDPR will have on
the much vexed position of consent and the impact on your
From May 2018, the current rules under the Data Protection Act
1998 will be superseded by much stronger rules designed to tackle,
in particular, huge changes in technology. The consultation will
end on 31st March with the finalised guidance expected to be issued
at some point in May.
Our mini-series will cover the following questions:
What is consent?
What does this mean for your business?
Do we always need consent to process data?
How do we now record and manage consent?
The GDPR introduces a higher standard for consent – one of
the grounds or conditions requiring to be met to demonstrate
"lawful processing," with the aim of giving individuals
genuine choice and control over how their data is used by
Under the GDPR, consent must be "freely given,
specific, informed and an unambiguous indication of the data
subject's wishes by which he or she, by a statement or by a
clear affirmative action, signifies agreement to the processing of
personal data relating to him or her." This, essentially,
spells the death knell for the opt-out box much loved by marketers
and data managers.
The new rules also make the withdrawal of consent just as
important for individuals as the consent itself. Whilst consent
must be expressly given, there must also be mechanisms in place to
allow individuals to withdraw their consent and these must be as
easy to access as the consent itself.
In addition, consent is no longer allowed to be a pre-condition
of signing up to a service unless necessary as this would not be
full consent; and the data processor must now also name the parties
who will be relying on the consent and using the data, and where
possible there should be options for the individual to consent to
different types of data processing.
The impact of the change of law relating to consent could be
significant for your business; however as highlighted in the ICO
draft guidance, consent to data processing puts the individual in
control of their own data and how this is used and by enhancing
procedures around consent, this helps build trust with consumers
and leads to higher levels of engagement. What does this mean?
Doing consent well can enhance your business reputation! Getting it
wrong will erode trust, damage business reputation and could result
in substantial fines in the most serious cases!
Whilst the ICO's guidance has been much anticipated, we
should not forget that consent is not the only legal basis under
the GDPR for processing data, (although can be extremely important
for your business where there is no other legal basis upon which to
Contact our Specialist Compliance and Regulatory
MacRoberts' team of data protection specialists can provide
expertise and advice to businesses wishing to adopt this proactive
approach to compliance preparation. We pride ourselves on our
diverse, resourceful and highly skilled team of compliance and
regulatory solicitors, who have substantial commercial and legal
experience, delivering a pragmatic and commercial approach to our
clients and their businesses.
If you require advice, assistance or representation in relation
to the upcoming General Data Protection Regulation obligations or
any other compliance and regulatory matters,
contact our team today for expert advice tailored to your needs
and/or sign up to our
newsletter to keep up to date with the latest GDPR news and
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).