The second in our mini-series on the ICO guidance on
Consent, published on 2 March 2017, focuses on how
the changes to be introduced by the GDPR (General Data Protection
Regulation) will impact upon your business and what you can do to
pre-empt the changes before their introduction in May 2018.
The GDPR is not just about the change in the definition of
"consent." There are conditions for consent that all
drive home that the data subject is in control of their data
– and this means your organisation must have processes and
procedures in place to ensure that the data subject remains in
control and your business remains on the right side of the law.
Review your consent mechanisms. For some this may be
straightforward, however for others this may be more complex. It
will very much depend on the level of understanding your
organisation has about what data it collects and processes. There
has never been a more important time for an organisation to have a
"handle" on what data it has and why, and how the data
was obtained – and how it meets the requisite conditions for
"fair and lawful processing."
Here are some helpful hints:
The mechanisms for obtaining consent need to be clear and
prominent – you need to review your terms and conditions and
unbundle your consent requests so that they "stand apart from
the crowd". The concept of unbundling equally applies to
providing the data subject with the option to "pick and
choose" what processing they consent to, where possible or
The GDPR introduces the principle of accountability, which
requires that you demonstrate compliance with data protection
principles. Keeping records of how a data subject provided your
organisation with consent (including keeping records of what you
told them at the time) will assist here.
Refusal and withdrawal of consent are just as important as
providing the consent. If a data subject wants to withdraw their
consent, they will have the option to do so at any time and it must
be as easy to withdraw their consent as it was to give you it. You
will need to review consent notices, to ensure that you comply with
this and put in place processes to enable your staff to implement
the withdrawal of consent to the processing you carry out. In
addition, you need to ensure that your consent notice allows the
individual to refuse their consent without detriment and that it
doesn't make it a pre-condition of a service you provide
In demonstrating an unambiguous indication of the data
subjects' wishes by statement or affirmative action, dispense
with the use of the pre-ticked box.
So, in summary, you need to review your processes as to how you
currently obtain consent. This means looking at your consent
notices to make sure they comply with the following:
They are clear and unambiguous.
Set apart from your general terms and conditions.
Gives the data subject the right to withdraw consent.
Doesn't make the consent a pre-condition to delivery of a
Sets out what data is collected and all processing to be
carried out in clear and plain language that is easy to understand
and where possible the data subject can select to what they want to
You have stated clearly who the data controller is, along with
providing information relating to any third parties who will rely
on the consents.
And remember, consent is not always the most appropriate lawful
basis for processing. In the next part in our mini-series, we
consider "is consent always appropriate for data
Contact our Specialist Compliance and Regulatory Lawyers
MacRoberts' team of data protection specialists can provide
expertise and advice to businesses wishing to adopt this proactive
approach to compliance preparation. We pride ourselves on our
diverse, resourceful and highly skilled team of compliance and
regulatory solicitors, who have substantial commercial and legal
experience, delivering a pragmatic and commercial approach to our
clients and their businesses.
If you require advice, assistance or representation in relation
to the upcoming General Data Protection Regulation obligations or
any other compliance and regulatory matters,
contact our team today for expert advice tailored to your needs
sign up to our newsletter to keep up to date with the latest
GDPR news and developments.
The material contained in this article is of the nature of
general comment only and does not give advice on any particular
matter. Recipients should not act on the basis of the information
in this e-update without taking appropriate professional advice
upon their own particular circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).