The Information Commissioner’s Office (ICO) has issued its GDPR consent guidance
which gives marketers practical advice on how to behave from 2018.
Guidance from the Information Commissioner’s Office sets out exactly how consent must be obtained from May 2018 when the GDPR comes into force.
The guidance is out for consultation until 31 May for marketers to respond.
Speaking about the draft guidance Chris Combemale, CEO of DMA Group, said: “The ICO has given greater clarity as to when and how consent should be the basis for processing data and highlighted the other five legal bases for data processing, including legitimate interest.
“The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.
“The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance. At the same time we have concerns around some of the specific guidance around consent and will share our views robustly during the consultation period,” he said.
In the guidance, the ICO lists the main changes that marketers will need to consider:
• Unbundled: asking for consent should be separate from other terms and conditions so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
• Active opt-in: the GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
• Granular: where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to.
• Named: always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations the data will be shared with need to be named.
• Documented: maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
• Easy to withdraw: individuals should be easily able to withdraw their consent. Organisations must put in place simple and fast methods for withdrawing consent. Tell individuals about their right to withdraw consent.
• No imbalance in the relationship: This point is less relevant for marketing but consent should be freely given and where this is a power imbalance between an organisation and an individual this will be hard to achieve. For example, the relationship between an employer and employee is an obvious power imbalance.
The ICO points out that the draft guidance is subject to change owing to developments in the EU. The Article 29 Working Party, which will become the European Data Protection Board, could have a different interpretation to the ICO which may mean the guidance will be revised.
On page 11 of the guidance the ICO points out that consent is not the only legal grounds to process personal data, and if consent is difficult to use then an organisation should consider using different legal grounds.
Use of third party data is greatly affected by the guidance. Building on from the Optical Express (see https://dma.org.uk/article/uk-tribunal-rules-against-third-party-consent-marketing-consent-must-be-informed-and-unambiguous) case where the ICO ruled that organisations need to name specific sectors an individual’s personal data will be shared with.
The ICO now says personal data can only be shared with named third parties.