In her blog last week, the UK Information Commissioner, Elizabeth Denham, tackled the issue of consent under the GDPR. This blog, the second in a series to be published by the ICO, is intended to address some of the myths that have developed around the GDPR. The first blog looked at the ICO’s new fining powers under the GDPR.
The latest blog deals specifically with two myths that are creating uncertainty for organisations that want to be compliant under the GDPR.
Myth #1 – You must have consent if you want to process personal data.
The Commissioner notes that the rules around consent only apply if you are relying on consent as your basis for processing personal data. While consent is one way to comply with the GDPR, it is not the only way. There are, in fact, five other grounds for processing data lawfully under the GDPR, where processing personal data is necessary:
- For the performance of a contract with the data subject or to take steps to enter into a contract
- To comply with a legal obligation
- To protect vital interests of a data subject or another person
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
- For the purposes of legitimate interests pursued by the controller or a third party
It is therefore not the case that you must have consent if you want to process personal data.
The Commissioner comments that the GDPR is instead raising the bar to a higher standard for consent. Pre-ticked, opt-in boxes, for example, will no longer be valid, and data subjects must be provided with a straightforward way to withdraw their consent.
However, all this focus on consent hasn’t left much room for discussion on the other lawful grounds that may be considered (as noted above). ‘Legitimate interests’ is one of these, and the Commissioner recognises that organisations want more information about how this might work. Further guidance is likely to be published next year, but in the meantime, the Commissioner points to existing guidance on legitimate interests from both the ICO and the Article 29 Working Party. In any event, she considers it unnecessary to wait for the new guidance, as organisations should already be in the best position to identify their purposes for processing personal data, and will need to document these decisions to meet the accountability provisions under the GDPR.
Myth #2 – I can’t start planning for new consent rules until the ICO’s formal guidance is published.
Although the ICO is aiming to publish its final consent guidance in December, the Commissioner notes that the ICO’s draft guidance on consent is a “good place to start for now”. The guidance is unlikely to change significantly in its final form, which means that organisations already have many of the tools to prepare. However, it should be noted that this guidance will only cover consent, and will not include information on any of the other lawful grounds for processing.
The ICO’s blog is helpful in reminding organisations that consent is not the only lawful ground for processing personal data. Indeed, the concept of different grounds for processing is not a new one – these are currently found in Article 7 of the Data Protection Directive (95/46/EC) and Schedule 2 of the Data Protection Act 1998. Some organisations will therefore already be relying on alternative grounds for processing, and it is important to revisit these and clearly document the reasons why they are relying on such grounds to meet the accountability requirements in the GDPR. This step should also be taken by all other organisations currently preparing for the GDPR, as they look closely at why they are processing personal data.
The blog is also a helpful reminder that the GDPR is raising the bar for consent. So if organisations are seeking to specially rely on consent for processing, as opposed to any of the other five grounds, they need to make sure that the consents they already have meet the stricter GDPR standard. If they don’t, they will have to update them.
In terms of where organisations can seek guidance on consent requirements under the GDPR, the ICO’s position is clear. The draft consent guidance published earlier this year is a good starting point as it is unlikely that the final draft will change significantly. This will no doubt cause concern to organisations, particularly within the marketing industry, that voiced their concerns earlier this year in response to the ICO’s consultation. However, given the timing, it is not advisable to wait for the final guidance.
So if they haven’t already done so, organisations should check that current consents meet GDPR standards and update them if they don’t; or, if consent is not appropriate, look at alternative grounds to justify processing.