The Information Commissioner has published a blog giving guidance on the use of consent under the EU’s General Data Protection Regulation (GDPR).
The Commissioner confirms that “… you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it” but highlights that consent is not the only way in which to comply with the GDPR as there are five other ways to lawfully process personal data, for example, the legitimate interests condition. If relying on consent, the Information Commissioner’s Office (ICO) “draft guidance on consent is a good place to start right now” and there is no need to await the final guidance, which is expected in December 2017, as it’s unlikely that it will change significantly.
The Commissioner reinforces that organisations will need to document their decisions to be able to demonstrate to the ICO which lawful basis justifies the data processing. The Commissioner advises there is already guidance available on legitimate interests (see ICO: Data Protection Guide: The conditions for processing) and there is no need to await further GDPR guidance, which is expected in 2018 as “You know your organisation best and should be able to identify your purposes for processing personal information”.
The blog is the second in a series demystifying the GDPR and the series should provide some comfort to organisations who are preparing for the GDPR; the first focussed on the ICO’s new fining powers (see ICO blog: GDPR sorting the fact from the fiction).