ICO GDPR consent guidance: many organisations' current practices will not pass muster

The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has published draft guidance on consent under the General Data Protection Regulation (GDPR). The guidance translates the GDPR’s principles into concrete examples of what will and will not be acceptable.

Common approaches will no longer suffice 

The guidance confirms what we had already deduced from the GDPR’s text: it will be harder for organisations to justify processing personal data based on individuals’ consent once the GDPR is in force. In particular, many organisations’ current approaches will no longer suffice, for example:

• pre-ticked boxes;

• non-specific, ‘blanket’ and/or indefinite consents; and

• acknowledgements (as opposed to a specific indication of agreement).

Individuals must be offered genuine choice and control over whether to grant consent. ICO specifies that employers and public authorities are unlikely to be able to rely on consent, because individuals might feel they have no choice but to consent to their employer or to a public authority that has power over them.

Adequate notice 

Equally as important as the form of consent is the notice on which it is based. ICO confirms that the request for consent must be:

• precise;

• concise;

• separate from other terms and conditions; and

• in plain language (use of double negatives or inconsistent language will invalidate consent).

Unfortunately, the guidance does not explain how to reconcile this with the detailed information that the GDPR requires organisations to include in their notices.

Is consent the most appropriate basis for processing?

The upshot is that, where organisations might previously have relied on consent to justify processing personal data, they will likely have to look at alternatives. ICO’s rule of thumb is: whenever you have difficulty meeting the standard for consent, this is a warning sign that consent may not be the most appropriate basis for your processing.

Interestingly, the guidance gives a relatively permissive interpretation of the ‘legitimate interests’ justification: you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests. It does not stress the ‘necessary’ element of that justification, which the Article 29 Working party (the group of EU regulators) had indicated was a relatively high bar in previous guidance. The Article 29 working party is also planning GDPR consent guidance; it will be interesting to see what it adds.

ICO is consulting on this guidance until 31 March. You can read the guidance and download the consultation document here.