The ICO has published its “Guide to the General Data Protection Regulation”, which includes expanded sections on using consent to process personal data, contracts and possible liabilities.
The ICO announced it had published the guide yesterday, and said it “explains the provisions of the GDPR to help organisations comply with its requirements”. The ICO called it a “living document” and said it was “working to expand it in key areas”.
The guide replaces the ICO’s previous document Overview of the GDPR. It has also produced a number of “tools to help organisations to prepare for the GDPR”, including a “Getting ready for the GDPR checklist” and “12 steps to take now”.
It said the guide “is not yet a finished product; it is a framework on which we will build upcoming GDPR guidance and it reflects how future GDPR guidance will be presented”. The ICO also promised to publish “more detailed guidance on some topics” which will be linked to the guide in future.
The guide also expands previously published sections on contracts and on liabilities for organisations under GDPR.
A spokeswoman from the ICO said the organisation was planning to publish “something later this week” as well as “a few other things aimed at small organisations such as charities”.
The GDPR is set to come into force from 25 May 2018.
Updates to consent
The new guide includes a number of checklists for organisations seeking to process data lawfully using consent. These checklists include “asking for consent”; “recording consent” and “managing consent”.
The guide also sets out what the ICO consider “valid consent”. The guide defines this as being “freely given”, and specifically says that it must “cover the controller’s name, purposes of the processing and the types of processing activity”. The guide also sets out what it calls "explicit consent", which must also be freely given and must be “expressly confirmed in words, rather than by any other positive action”.
It says organisations using consent to process data must make such a request “prominent, concise, separate from other terms and conditions and easy to understand”. It also says that organisation using consent must “ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default settings”.
The guide also recommends that organisations “keep consents under review and refresh them if anything changes”. It also suggests building “regular consent reviews into your business processes”.
Contracts and liabilities
The ICO’s guide also expands on when data controllers need to draw up contracts with possible third parties when processing personal data and any possible liabilities that may arise from this.
In the expanded section on contracts and liabilities under GDPR, the ICO said that GDPR “envisages that adherence by a processor to an approved code of conduct or certification scheme may be used to help controllers demonstrate that they have chosen a suitable processor.”
It also says that whenever a data controller uses a third party, the controller “needs to have a written contract in place”. These contracts must set out: “the subject matter and duration of the processing; the nature and purpose of the processing; the type of personal data and categories of data subject and the obligations and rights of the controller”.
The updated sections of the guide can be read in full on the ICO’s website.