ICO recommends opt-in communications in its GDPR guidance
The Information Commissioner’s Office has published draft guidance on the General Data Protection Regulation (GDPR) which recommends a move to “active opt-in” and says individuals have the right to withdraw consent at any time. The consultation document applies to all organisations and sectors which handle or process data.
The ICO have published its GDPR consent guidance document for consultation, which recommends that organisations which process data should review their consent mechanisms to make them more “specific, granular, clear, prominent, opt-in, documented and easily withdrawn”.
Organisations will also need to keep records of evidence for consent at every step of the process and have been advised by the ICO to “build regular consent reviews into your business processes”.
GDPR will also ban the usage of “pre-ticked opt-in boxes” as a valid means of gaining an individual’s consent. The ICO also said that, while “GDPR does not specifically ban opt-out boxes,” that method of communication is “essentially the same as pre-ticked boxes, which are banned”.
The document also points out that, when GDPR comes into force in May 2018, unlawful use of personal data would be subject to “the highest tier of administrative fines”. The ICO said that these could be as a high as “€20m (£17.2m) or 4 per cent of a company’s total worldwide annual turnover, whichever is higher”.
‘Key changes to make in practice’ as result of GDPR
The ICO said that organisations who process data will need to make seven “key changes” to their consent mechanisms to ensure they meet with GDPR requirements.
Consent must now be “unbundled” – as in being “separate from other terms and conditions”; an “active opt-in”; “granular” – different consent options for different types of processing; “named” – including both the name of the organisation processing the data and any third parties also relying on that consent; “documented”; “easy to withdraw” and not based on an “imbalance in the relationship”.
The ICO said that, while existing DPA consents would still be valid when GDPR comes into force, organisations will “need to be confident that your consent requests already meet the GDPR standard” if they are to be relied upon after May 2018.
The document also sets out a number of scenarios in which consent would be rendered invalid. Some of the most relevant include if an organisation doesn’t “have clear records to demonstrate” that a person consented in the first place, or if they have used “pre-ticked opt-in boxes or other methods of default consent”.
Keep records of clear consent
GDPR stipulates that consent “must be specific and informed” and, at a minimum, must be obtained by giving a certain amount of information. This includes the name of the organisation and any third parties who will rely on that consent, why an organisation wants that data and what it will do with that data, including any “processing activities”.
GDPR will mean that organisations relying on consent “must have an effective audit trail of how and when consent was given, so organisations can provide evidence if challenged” regardless of how that consent was given, including oral consent.
The ICO have also said specifically that organisations relying on consent “cannot rely on silence, inactivity, pre-ticked boxes, opt-out boxes, default settings or blanket acceptance of your terms and conditions” as evidence of consent.
Individuals will also be given a “specific right to withdraw their consent” under GDPR, and that right will be “at any time”. The ICO said that an individual’s consent “must also be as easy to withdraw as it was to give”.
The ICO have published the document as part of a period of wider consultation on GDPR which will run from 2 March through to the 31 March 2017. It can be viewed on the ICO’s website here.