The ICO has published its final consent guidance ahead of the 25 May GDPR deadline, which says that organisations won’t need to “automatically repaper or refresh” existing old consents.
The guidance, published by the Information Commissioner’s Office yesterday afternoon, says that organisations will not be required to automatically refresh all old consents, but stressed it was “important to check your processes and records in detail to be sure existing consents meet the GDPR standard”.
Consent under GDPR must be “freely given, specific, informed, and unambiguous”, with the ICO saying that if existing consents don’t meet this requirement, then organisations will “need to seek fresh, GDPR-compliant consent, identify a different lawful basis for your processing, or stop the processing”.
Organisations using consent as a means of lawfully processing personal data under GDPR will also be required to “put in place compliant mechanisms for individuals to withdraw their consent easily, and tell people they have the right to withdraw consent (if you haven’t already done so)”.
‘Key changes’ in the guidance
The ICO has issued a number of consultations on previous iterations of its consent guidance, but says the final document features some key changes from previous iterations.
An ICO spokesperson said this document was “the final guidance up until 25 May at least”, but described GDPR as a “living, breathing document that will constantly be updated”.
The guidance lists a number of “key changes to make in practice”, including ensuring new consents are “unbundled” from other terms and conditions, are granular and distinct, are well documented and are an “active opt-in”.
The guidance says that organisations will “need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, prominent, opt-in, documented and easily withdrawn”.
The guidance can be downloaded and read in full here.
Consent ‘not the silver bullet’ for compliance
In a blog published on the ICO’s website yesterday, Steve Wood, deputy information commissioner, said that “consent is not the ‘silver bullet’ for GDPR compliance”, and warned that the 25 May deadline was only “the start and not the end of GDPR compliance”.
He wrote that “scaremongering about consent still persists”, but was critical of many media headlines which “often lack context or understanding about all the different lawful bases” available to organisations under GDPR.
Wood was also critical of organisations which have complained that they will “lose customers” by bringing their consents up to GDPR-standard, pointing to recent ICO research which found that less than a quarter of the UK public trust companies and organisations using their personal data.
“Some have said that they will lose customers by bringing their consents to the GDPR standard. I say you will have better engagement with them and build customer trust.”
Wood’s blog can be read here.