By Steve Wood, Deputy Information Commissioner.
We’ve already tackled some myths around consent when it comes to the General Data Protection Regulation (GDPR) and you’ll be pleased to hear we’ve now published our final detailed guidance on consent to help you on your GDPR journey. This follows the guidance issued by the European Group of Data Protection Authorities, the Article 29 Working Party.
From marketing agencies to clubs and associations, to local authorities, consent has been a hotly debated topic.
Some of the myths we’ve heard are, “GDPR means I won’t be able to send my newsletter out anymore” or “GDPR says I’ll need to get fresh consent for everything I do.”
I can say categorically that these are wrong, but if misinformation is still being packaged as the truth, I need to bust another myth.
Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.
You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act.
We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.
Organisations risk non-compliance if their emails are difficult to follow and key information is lost at the end of the long text – people must clearly understand what they are consenting to.
Being open and transparent is key a component of the GDPR and the ICO has provided guidance on informing people about how their data is used.
Before sending emails, consider what the most effective way is to reach your customer – it may not be an email. Consider a data protection by design approach – where can this information be embedded to have the best impact.
Some have said that they will lose customers by bringing their consents to the GDPR standard. I say you will have better engagement with them and build customer trust.
Our research found that only one-fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information.
Consent is not the ‘silver bullet’
As the Commissioner said in her blog ‘consent is not the ‘silver bullet’ for GDPR compliance’ consent is one way to comply with the GDPR, but it’s not the only way.
Scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start. There are six lawful bases available for you to choose from. No single basis is ’better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual.
You know your organisation best and the purposes that you are processing personal data for. But there is help available – we have lots of guidance and resources on our website including our lawful basis interactive guidance tool that gives tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.
If your organisation is still on their journey to GDPR compliance you should continue with your efforts to be ready before the law takes full effect on 25 May. But remember that this date is the start and not the end of GDPR compliance. Organisations need to sustain their compliance processes over time – this is the best way to take people with you on your business journey.
|Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.|