Consent: Getting it right under the new rules #GDPR

Published

7th March 2017

In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.

 

From May 2018, the current rules under the Data Protection Act 1998 will be superseded by much stronger rules designed to tackle, in particular, huge changes in technology. The consultation will end on 31st March with the finalised guidance expected to be issued at some point in May.

Our mini-series will cover the following questions:

  1. What is consent?
  2. What does this mean for your business?
  3. Do we always need consent to process data?
  4. How do we now record and manage consent?

The GDPR introduces a higher standard for consent – one of the grounds or conditions requiring to be met to demonstrate “lawful processing,” with the aim of giving individuals genuine choice and control over how their data is used by organisations.

Under the GDPR, consent must be “freely given, specific, informed and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” This, essentially, spells the death knell for the opt-out box much loved by marketers and data managers.

The new rules also make the withdrawal of consent just as important for individuals as the consent itself. Whilst consent must be expressly given, there must also be mechanisms in place to allow individuals to withdraw their consent and these must be as easy to access as the consent itself.

In addition, consent is no longer allowed to be a pre-condition of signing up to a service unless necessary as this would not be full consent; and the data processor must now also name the parties who will be relying on the consent and using the data, and where possible there should be options for the individual to consent to different types of data processing.

The impact of the change of law relating to consent could be significant for your business; however as highlighted in the ICO draft guidance, consent to data processing puts the individual in control of their own data and how this is used and by enhancing procedures around consent, this helps build trust with consumers and leads to higher levels of engagement. What does this mean? Doing consent well can enhance your business reputation! Getting it wrong will erode trust, damage business reputation and could result in substantial fines in the most serious cases!

Whilst the ICO’s guidance has been much anticipated, we should not forget that consent is not the only legal basis under the GDPR for processing data, (although can be extremely important for your business where there is no other legal basis upon which to process data.)

ICO Guidance on Consent

 

Visit MacRoberts Website for further details

Morton Fraser MacRoberts LLP

MacRoberts LLP, one of the largest independently owned law firms in Scotland, was founded over 150 years ago by the MacRobert family. We are a leading Scottish commercial law firm with full-service offices in Dundee, Edinburgh and Glasgow with a client base that reaches across Scotland and beyond.

Back to news