The Information Commissioner's Office has published its draft GDPR guidance for consent
03 Mar 2017
This is draft guidance which the ICO are putting out to consultation. They are accepting comments until 31 March 2017, if you wish to submit a response.
The DMA will be responding to the ICO and welcomes comments from members. Please email our external affairs manager, Zach Thornton, with any comments you may have. His email is Zach.Thornton@dma.org.uk.
Speaking about the draft guidance Chris Combemale, CEO of DMA Group, said: "The ICO has given greater clarity as to when and how consent should be the basis for processing data and highlighted the other 5 legal bases for data processing, including legitimate interest.
"The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.
"The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance. At the same time we have concerns around some of the specific guidance around consent and will share our views robustly during the consultation period," he said.
The ICO points out in the draft guidance that it is subject to change owing to developments in the EU.
As the GDPR is a regulation, it means interpretation of it must be harmonised across EU nations. The Article 29 Working Party, which will become the European Data Protection Board, could have a different interpretation to the ICO.
Alternatives to consent
On page 11 of the guidance the ICO points out that consent is not the only legal grounds to process personal data, and says that if consent is difficult to use then an organisation should consider using a different legal ground.
For marketers this means increasingly relying on the legitimate interest ground to process personal data. Direct marketing is recognised as a legitimate interest in the GDPR.
The use of third party data is greatly affected by the guidance. The ICO say that for an individual's personal data to be shared with a third party then that third party must be specifically named. This is an area that the DMA will address in our response to the consultation.
However, the question here is whether an individual is informed when they consent for their personal data to be shared.
It is not necessarily the case that individuals will be more informed because specific companies are named. The names of the companies stated may be unfamiliar and leave individuals with less information about who their data will be shared with than a clear sector, for example, ‘car insurance companies’.
In the guidance, the ICO lists the main changes that marketers will need to consider:
- Unbundled: asking for consent should be separate from other terms and conditions so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
- Active opt-in: the GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
- Granular: where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they're consenting to.
- Named: always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like 'we will only share your data with other men's clothing retailers' are not specific enough. The individual organisations the data will be shared with need to be named.
- Documented: maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
- Easy to withdraw: individuals should be easily able to withdraw their consent. Organisations must put in place simple and fast methods for withdrawing consent. Tell individuals about their right to withdraw consent.
- No imbalance in the relationship: This point is less relevant for marketing but consent should be freely given and where this is a power imbalance between an organisation and an individual this will be hard to achieve. For example, the relationship between an employer and employee is an obvious power imbalance.
These seven points are the main changes that the ICO sign post in their guidance.
As the consent guidance points out, not all marketing channels will be able to take advantage of the legitimate interest route and will need to gain consent.
Under separate ePrivacy rules consent will likely be required for marketing using email, SMS and online cookies.
This is draft guidance and the DMA will be feeding back to the ICO to raise a number of concerns we have with the guidance.
In light of this draft guidance and as part of your GDPR implementation plans DMA members should review what their legal grounds they're relying on to process personal data.
Before you can make changes you need to form a comprehensive picture of what your business looks like: what personal data it holds, why and what your legal basis is when processing that personal data.
The DMA legal team will be publishing a comprehensive review of the consent guidance shortly.
The draft guidance is available here.