The General Data Protection Regulation (GDPR), or the Data Protection Bill, will come into force on 25 May 2018. Despite there being less than a year for UK organisations to become compliant, the Information Commissioner’s Office (ICO) has yet to finalise its consent guidance, which it plans to release in December. As the specifics surrounding consent requirements under the GDPR are still subject to change, it can be a challenge to know what proactive measures your organisation can take now.
Nevertheless, it’s expected that the central components of what is currently known about GDPR compliance will remain relatively unchanged when the official guidance is published by the ICO. For that reason, your organisation should review how it obtains customer consent to ensure that it meets the following GDPR requirements:
- Unbundled. Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.
- Active opt-in. You cannot use pre-ticked opt-in boxes, as they are invalid.
- Granular. Provide options to individuals to consent to different types of processing.
- Named. Provide the name of your organisation and any third parties that will be relying on consent.
- Documented. Keep records that demonstrate what the individual has consented to, what they were told, and when and how they consented.
- Easy to withdraw. Inform individuals that they have the right to withdraw their consent at any time and explain how to do that.
- No imbalance in the relationship. Consent will not be freely given if there is an imbalance in the relationship between the individual and your organisation.
Regardless of the specifics of the ICO’s final consent gidance, your organisation should begin making changes to your consent practices now.