The ICO’s GDPR consent guidance – tell us how you’ll be affected
17 Mar 2017
The Information Commissioner's Office (ICO) has published its draft consent guidance for the General Data Protection Regulation (GDPR) which could have far-reaching implications for your business
The DMA will be submitting a robust customer-centric response to the ICO and needs your input.
We want to understand how the proposed guidance will affect your business and your customers.
The DMA has a number of concerns with the ICO guidance but we need examples and case studies to support the points we make. Our main concerns are:
- Consent: the proposals suggest third parties will have to be named. To give consumers the widest possible choice and best possible experience, we believe that precise sectors should be permitted.
- Applying the law retrospectively: Without GDPR-compliant consent, processing should cease. For businesses with large data sets this will be impossible to achieve in time for May 2018. We think some ‘grandfathering’ of data would be appropriate.
- Opt-in/opt-out consent: we would like some clarification on whether implied consent should be permitted
- Legitimate interest: while the draft proposals flag legitimate interest as an alternative to consent, there is no corresponding guidance around this
- Granularity/unbundling: when asking for consent, options for marketing, channels, analytics, profiling, sharing, third parties etc have to be explained, but this will make clear statements– a requirement of the GDPR – impossible
The ICO’s guidance states that you should “name your organisation and any third parties who will be relying on consent – even precisely defined categories of third party organisation will not be acceptable under GDPR.”
In other words, when organisations collect an individual’s personal data they need to specifically name third parties in their privacy notice/policy that the personal data may be sent to. At the moment sharing data with categories of third parties is allowed, such as, car insurance products.
This could result in less relevant marketing communications as organisations will know less about their customers.
This point is important because it has knock on effect on profiling. Marketers will combine the first party data collected by their brand with third party data for profiling and segmentation. This allows brands to better understand their customers’ needs and offer them what they want. It is also unclear whether a brand would name a data processor they intended to work with in regards profiling and segmentation. A brand does not necessarily know who they plan to work with.
On applying the law retrospectively
All marketing now relies on the effective use of data,. Organisations have invested a significant resources and expertise in building databases to better understand their customers and make offers relevant to them. If the law is retrospectively applied then much of this data could be considered non-compliant after May 2018.
This could be disastrous for organisations who would lose the intelligence they’ve built up over years and after much investment. Rebuilding databases would take a long time and in some instances may not be possible.
The economic impact of these changes is another cause for concern. The damage to the data industry from the ICO’s guidance could have an impact on jobs and the ability of companies to meet potential customers. This will impact the economy and growth.
We would like further clarifications on this point and whether implied consent should be permitted.
There is a lot of emphasis in the document on using grounds other than consent for direct marketing. The possibility of Legitimate Interest is mentioned several times, yet there is no guidance on how to judge if this is appropriate making it impossible to justify legitimate interest for third party data use.
We understand that no guidance is planned, but a regulator has an obligation to provide adequate guidance so businesses can operate with confidence.
To satisfy all the options that might be required to demonstrate consent it would make data collection impossibly complex.
Options for marketing, channels, analytics, profiling, sharing/transfer, third parties etc. etc. will make consent statements long and convoluted, while another requirement of the GDPR is to explain how data will be used clearly, transparently and in plain English.
The deadline for submitting comments to the DMA is 27 March 2017. The final deadline for submitting comments to the ICO is 31 March 2017.