ICO addresses uncertainty over GDPR consent requirements

The Information Commissioner has criticised commentators who mistakenly claim that, under the EU General Data Protection Regulation (GDPR), “data can only be processed if an organisation has explicit consent to do so”.

Elizabeth Denham clarified that consent is one of six lawful grounds for collecting personal data, and the rules for consent only apply if you are using it as your basis for processing. Articles that don’t make this clear create confusion and “[leave] no room to discuss the other lawful bases organisations can consider using”.

She made the comments in one of a series of blogs that will “sort the facts from the fiction” regarding the media coverage of the GDPR.

The trouble with consent

We’re often asked about gaining consent under the GDPR, so we’ve used our blog and GDPR webinar series to answer your questions and give advice. One of the most important things to know is that consent is the least reliable ground for collecting personal data, so it should only be used where absolutely necessary.

Why is consent unreliable? Say that your organisation has used consent to collect data and then you want to reuse that information for another purpose. That would mean you’d need to ask for everybody’s consent again. Anyone who refuses to consent or doesn’t reply must be removed from your records.

Similarly, individuals are free to withdraw their consent at any time. This means you have to remove them from your records. If you don’t, your organisation risks disciplinary action from your supervisory authority.

However, there are times when consent is the most appropriate basis, so you need to be aware of your obligations. In those instances, Denham is clear that the GDPR raises the standard for consent.

“Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent,” she said.

“The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear [and] plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”

GDPR Foundation course

You can find out more about the forthcoming changes by enrolling on our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.

This one-day course provides a comprehensive introduction to the Regulation and explains the implications and legal requirements for all organisations.

It’s ideal for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance and those with a basic knowledge of data protection who want to develop their career.

Find out more about our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course >>