The Information Commissioner has published a blog in a bid to clarify the use of consent under the EU's General Data Protection Regulation (GDPR).
The Commissioner confirms that businesses need to “make sure the consent [they've] already got meets the standards of the GDPR. If not, [they'll] have to refresh it”. The blog also raises the point that consent is not the only way in which to comply with the GDPR as there are five other ways to lawfully process personal data. If relying on consent, the Information Commissioner's Office (ICO) draft guidance is a good place to start, the final version of which is expected in December 2017. There is no need to wait for the final version, however, as it is unlikely that it will change significantly from the draft.
The Commissioner reinforces that organisations will need to document all their decisions to be able to demonstrate which lawful basis justifies the data processing to the ICO. There is already guidance available on legitimate interests and justification and there is no need to await further GDPR guidance, which is expected in 2018. The Commissioner advises that "you know your organisation best and should be able to identify your purposes for processing personal information".
The blog is the second in a series demystifying the GDPR and the series should provide some comfort to organisations who are preparing for the GDPR.