ICO publishes final guidance on consent under the GDPR

The General Data Protection Regulation is due to come into effect in two weeks

The guidance
The guidance

The Information Commissioner’s Office has published its final, detailed guidance on consent under the General Data Protection Regulation, just two weeks before the new rules come into force.

The guidance, which explains when and how organisations such as charities can use consent to process people’s information, was published on the ICO’s website yesterday.

It warns that if someone withdraws their consent to process their data, the organisation is unlikely to be able to carry on doing so on another basis.

After 25 May, organisations that want to carry out data-processing activities, such as contacting people, will need to explain on what basis they are doing so.

One of the key justifications for this is having consent, although the standards for this will be higher than under current rules.

A draft version of the guidance was published for consultation in March last year. The new version is similar in many respects, although it does include more detailed explanations of some of the key concepts and more real-world examples.

But among the updates is a different position on whether organisations can continue to process data once someone has withdrawn their consent.

The original document told readers that if someone was to withdraw their consent "you will either need to stop the processing or identify another lawful basis and be able to justify why continued processing is fair".

But the new version offers a stricter interpretation of the legislation.

"You are not able to swap to a different lawful basis for this processing," the new guidance says.

"Even if you could originally have relied on a different lawful basis, once you choose to rely on consent you are handing control to the individual. It is inherently unfair to tell people they have a choice, but then continue the processing after they withdraw their consent."

But the guidance does say that the organisation might be able to hold on to the data for a different purpose under another lawful basis if this is made clear to the person whose data it is from the start.

In a blog coinciding with the release of the guidance, Steve Wood, deputy commissioner for policy at the ICO, says: "If your organisation is still on their journey to GDPR compliance, you should continue with your efforts to be ready before the law takes full effect on 25 May.

"But remember that this date is the start and not the end of GDPR compliance. Organisations need to sustain their compliance processes over time – this is the best way to take people with you on your business journey."

He also seeks to dispel the myth that organisations need to automatically refresh all their existing consents before the new rules come into force.

Both the draft version and the new guidance explain that this is not necessary, as long as the consent was captured in a way that complies with the requirements of the GDPR.

In the blog, Wood echoes Elizabeth Denham, the Information Commissioner, who has pointed out that consent is one way to comply with the GDPR, but is not the only way because there are six justifications for processing personal data under the law.

"No single basis is ’better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual," writes Wood.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Register
Already registered?
Sign in