By Elizabeth Denham, Information Commissioner.
Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).
Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.
Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.
Last week I set the record straight on our new fining powers.
My second blog tackles an equally high-profile issue – consent.
You must have consent if you want to process personal data
The GDPR is raising the bar to a higher standard for consent.
Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.
This has understandably created a focus on consent.
But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.
The rules around consent only apply if you are relying on consent as your basis to process personal data.
So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.
Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.
Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.
For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.
Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing medical information.
Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.
The new law provides five other ways of processing data that may be more appropriate than consent.
‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working with the other European authorities to publish guidance on it next year.
But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.
Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.
But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.
I can’t start planning for new consent rules until the ICO’s formal guidance is published
I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.
Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.
Our series will continue next week.
|Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.|