Obtaining consent is not “the silver bullet” for charities looking to lawfully process data under GDPR says Elizabeth Denham, the Information Commissioner.
Writing in a blog published on the ICO's website, Denham said that “consent is not the ‘silver bullet’ for GDPR compliance” and said she’d seen and heard a “lot of misinformation out there” which is creating uncertainty for organisations around GDPR.
The Information Commissioner wrote that she’d heard some “alternative facts” around consent. In particular, she said it was wrong that an organisation needed "explicit consent" to process data.
Denham's comments follow criticism of the Department for Digital, Culture, Media and Sport, the government department responsible for GDPR, which incorrectly said in a recent statement that explicit consent would be required under the Data Protection Bill to process data.
Denham said that consent “is one way to comply with the GDPR, but it’s not the only way”.
She also said the ICO expects to publish its final consent guidance in December 2017.
‘There’s no need to wait for guidance’
Denahm said that ‘legitimate interest’ is another way to process data lawfully, and said that she and her organisation were aware of the appetite in the charitable (and other) sector for more information. The ICO, alongside other European authorities, is set to publish its final guidance on legitimate interest sometime next year.
Denham warned organisations against waiting for the guidance, saying those interested in legitimate interest should read existing guidance on the topic made available by the ICO.
“There’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.”
In Fundraising Magazine
Denham is writing a series of weekly blogs on the ICO website, touching on concerns around impending changes to data protection law which will come in with GDPR from May 2018.
In a blog written last week, Denham dismissed what she called “scaremongering” around the much larger fines that will be made available to the ICO once GDPR comes in effect. She said the ICO would not be “making early examples of organisations for minor infringements or that maximum fines will become the norm”.
Under GDPR, the maximum fine available to the ICO will be £17m, or 4 per cent of an organisation’s total global turnover.