Teal blue header image

ICO publishes draft GDPR consent guidance

The Information Commissioner's Office (ICO) has published for consultation draft guidance on consent under the General Data Protection Regulation (GDPR).

The guidance is intended to provide practical advice for UK organisations on the changes that will be required to their consent mechanisms as a consequence of the higher standard of consent introduced by the GDPR.  

What's new under the GDPR?

The changes to the standard for consent under the GDPR reflect a more dynamic idea of consent. The guidance describes consent as 'an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away'. 

The key elements of consent remain, namely that it must be freely given, specific, informed and there must be an indication signifying agreement. The GDPR strengthens this by requiring that the indication must be unambiguous and involve a clear affirmative action. Several new provisions relating to consent in the GDPR also contain more detailed requirements, meaning that many practices for obtaining consent which are used currently will no longer be acceptable under the GDPR. 

Is consent the most appropriate basis for processing?

Before examining the requirements for valid consent, the guidance tackles the question of whether or not consent is actually the best approach for legitimising data processing. Since the GDPR sets a high standard of consent, the ICO recognises that consent will not always be easy to obtain. Consent is one of six lawful bases for processing data under the GDPR and the ICO encourages organisations to consider the alternatives.

Although consent can build customer trust and engagement, if your organisation is not able to offer a genuine choice, the ICO states that consent will not be appropriate. This may be the case if you could still process the data without consent on a different lawful basis, or you require consent as a precondition for accessing your services. In these circumstances, an alternative basis should be considered.

Consent will also be inappropriate if there is an imbalance in the relationship between the individual and the controller, since the consent will not be freely given.  The ICO points out that this will make consent particularly difficult for public authorities and employers, who should avoid relying on consent.

Obtaining consent

The key elements of obtaining a valid consent are as follows:

  • Clarity: requests need to be prominent, concise, easy to understand and set out separately from any other information, such as terms and conditions. Consent should also be granular: separate options to consent should be sought for different types of processing.
  • Identity: every party who will be relying on the consent must be clearly identified. Currently, indirect consent may be valid if the consent describes categories of organisations who may wish to use the consent. The new guidance makes it clear that this will no longer be acceptable; all third parties who will rely on the consent must be named. 
  • Active opt-in: clear affirmative action requires a deliberate action to opt in.  Various affirmative opt-in methods are outlined in the guidance, including opt-in boxes, signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default. Consent must be opt-in – the guidance emphasises that failure to opt out is not consent.
  • Explicit consent: if explicit consent is required, for example to legitimise the use of sensitive data or automated decision-making (including profiling), the opt-in needs to involve an express statement confirming consent. Age-verification measures and parental consent will also be required if you are offering online services to children and want to rely on consent for processing.

Recording and managing consent

In order to demonstrate compliance, an effective audit trail must be created to evidence how and when consent was given, what individuals were told at the time and how they consented. Simple withdrawal mechanisms must be put in place, to ensure that it is as easy to withdraw as it was to give consent.

Consents should be kept under review and organisations should consider whether to automatically refresh consent at appropriate intervals. If in doubt, the guidance recommends refreshing consent every two years.

Refreshing existing consents 

Will you be required to 'repaper' or refresh all existing consents under the Data Protection Act in preparation for the GDPR? The answer is probably yes. Although there is no express requirement to do so, in practice you will only be able to continue to rely on any existing consent if you are satisfied that your consent requests already met the GDPR standard and are properly documented. If your existing DPA consents are poorly documented or do not meet the GDPR's higher standards, you will need to decide whether to seek fresh consent, identify a different lawful basis for your processing or stop the processing.

As well as setting out the steps you should take to obtain fresh consents, the ICO's consent checklist should help you to decide whether existing consents meet the GDPR standard.

Next steps

The ICO plans to publish a final version of the guidance in May 2017, following a short consultation on the draft guidance until 31 March. Thereafter, the guidance will be kept under review and updated to take account of future guidelines issued by the European authorities, as well as to reflect experience with the GDPR once in force. 

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2017. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Insights & events View all