ICO publishes final version of guidance on consent

A briefing note
Thu 24th May 2018

On 09 May 2018, the ICO published the final version of its guidance on consent, which is intended to sit alongside its Guide to the General Data Protection Regulation (“GDPR”). Now that the GDPR has come into force, the guidance will still be very useful for data protection experts, as it clarifies key issues regarding consent and when it should be relied on as a lawful basis for processing personal data.

Differences between consent under the Data Protection Act 1998 (“DPA”) and under the GDPR and Data Protection Bill 2017-2019

In its guidance, the ICO refers to the GDPR’s higher standard for consent, in comparison to the DPA. The main elements remain the same, insofar as consent needs to be freely given, specific, informed and there must be an indication signifying agreement. However, the GDPR has introduced new conditions for consent:

  • keeping records of consent;
  • clarity and prominence of consent requests;
  • the right to withdraw consent; and
  • avoiding making consent a condition of a contract.

The guidance also highlights the new specific provisions on children’s consent for online services and consent for scientific research purposes.

In respect of existing DPA consents, the ICO states that, under the GDPR, you can continue to rely on existing consents if they are GDPR-compliant. However, if they do not meet the GDPR standard or are not properly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for processing, or stop the processing.

Why consent is important

The guidance focuses on the benefits of getting consent issues right and the consequences of getting it wrong. It reiterates the fact that consent is one of six lawful bases for processing of data under the GDPR and that, should you wish to process special category data, you will also need to apply one of the conditions in Article 9(2) of the GDPR; one option being “explicit consent”.

When consent is appropriate

The guidance extinguishes the common myth that you need consent for any processing of personal data. The ICO explains that you need to choose the lawful basis that is most appropriate for your relationship with the individual and the purpose of the processing. Therefore, the correct lawful basis for processing will need to be assessed on a case-by-case basis and, in all situations, from the outset.

The guidance also touches upon consent sometimes being required under the Privacy and Electronic Communications Regulations 2003 (“PECR”) in respect of marketing communications, website cookies or other online tracking methods, or to install apps or other software on people’s devices. The EU is still in the process of finalising a new e-regulation, but pending the regulation being finalised, the existing PECR rules continue to apply (using the GDPR definition of consent).

What is valid consent

Under the GDPR, valid consent is “any freely given specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The ICO guidance provides a detailed explanation in respect of each component of valid consent.

How we should obtain, record and manage consent

The ICO suggests that you:

  • keep your consent request separate from your general terms and conditions, and clearly direct people’s attention to it;
  • use clear, straightforward language;
  • adopt a simple style that your intended audience will find easy to understand;
  • avoid technical or legal jargon and confusing terminology;
  • use consistent language and methods across multiple consent options; and
  • keep your consent requests concise and specific, and avoid vague or blanket wording.

Organisations affected by the GDPR ought to consider the ICO guidance in detail and ensure they are aware of the circumstances when consent can, and cannot, potentially be relied on as a lawful basis for processing.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798098.

Read the latest Employment Views & Insights
They seek to understand their clients and advise accordingly to achieve the outcomes that they require for their business needs.
Chambers and Partners
Stained glass window Employment SA Law
Views & Insights
The New Changes to Employment Law

Emily Morrison was asked by City A.M to comment on the new changes to employment law coming into force on 6th April, and discusses what businesses…

Read More
SA Law Employment Laptop
Views & Insights
What Changes will we see to Flexible Working Requests?

With employees being given the right to request flexible working from ‘day one’ of their employment, Chris Cook and Emily Morrison explain…

Read More
Stained glass window Employment SA Law
Views & Insights
Injury to Feelings: Vento Bands Increased

The President of the Employment Tribunals has confirmed an increase in the compensation bands (known as Vento bands) awarded for injury to feeling in…

Read More
SA Law Employment Laptop
Views & Insights
Introducing Fees in the Employment Tribunal and the Employment Appeal Tribunal

The Ministry of Justice has launched an open consultation on introducing fees in the Employment Tribunal and Employment Appeal Tribunal. The proposed…

Read More
Stained glass window Employment SA Law
Views & Insights
Managing The Menopause at Work

The menopause can have a big impact on the day to day lives of employees. It is a natural part of aging and typically happens to women between the ages…

Read More
As there is so much expertise on offer from SA Law they can provide a legal expert on all areas so that it can be handled under one roof.
Legal 500
Stained glass window Employment SA Law
Views & Insights
Did Red Bull Shoot the Messenger?

Christine Caffrey gives an insight into the Christian Horner controversy after his female colleague accused the Red Bull F1 boss of “inappropriate…

Read More
SA Law Employment Laptop
Views & Insights
New ICO Guidance on Sharing Personal Data in Mental Health Emergencies

Employers need to plan ahead to ensure personal data can be shared appropriately to protect those affected by a mental health crisis.

Read More
Stained glass window Employment SA Law
Views & Insights
Employment Tribunal Compensation Limits from 6 April 2024

The Government has announced this year’s annual increase to Employment Tribunal compensation limits for certain tribunal awards and other statutory payments,…

Read More
SA Law Employment Laptop
Views & Insights
In the Firing Line… Fire and Rehire - the Government Responds to Consultation.

P&O’s mass fire and rehire of employees in 2022, shone a spotlight on exactly how companies use this practice. It sparked a huge show of public concern…

Read More
They are knowledgeable, with a commercial mindset, but also down to earth and friendly so it is easy to be very honest with them.
Chambers and Partners

© SA LAW 2024

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.