Data Protection guidance consultation in preparation for 2018

Yes, it seems like a long way away, but the new EU regulations about data processing will change in May 2018. The UK’s Information Commissioner’s Office has embarked on a consultation exercise to check to see if its guidance on the meaning of “consent” is helpful.

Under current regulations, data protection consent means:

“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

However, under the new regulations, this will change to:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Already we expect data handling to become more sophisticated, and steps can be taken now to help prepare. The new guidance summarises the changes that are set out in the new regulations (known as the GDPR):

  • The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.
  • The GDPR is clearer that an indication of consent must be unambiguous and involve a clear affirmative action.
  • Consent should be separate from other terms and conditions. It should not generally be a precondition of signing up to a service.
  • The GDPR specifically bans pre-ticked opt-in boxes.
  • It requires granular consent for distinct processing operations.
  • You must keep clear records to demonstrate consent.
  • The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
  • Public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consent.
  • You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

This means that, in practice, statements on websites and email marketing lists will need to be reviewed.