A short guidance note explaining the GDPR obligations on businesses with regard to processing personal data under the lawful basis of consent and containing a link to the ICO’s draft Consent Guidance.

What does the law require?

Consent under the GDPR must be a freely given, specific, granular, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action (essentially a positive “opt-in”). Under the GDPR, it will generally not be possible to infer consent from silence, pre-ticked boxes or inactivity.

The GDPR also requires consent wording and consent mechanisms to be kept separate and prominent from other terms and conditions, and for simple ways to be given to people for them to withdraw consent. In employment situations in particular, it is unlikely that consent will be valid because of the perceived “imbalance” in the employer-employee relationship.

Consent also has to be verifiable, and individuals generally have more rights where you rely on consent to process their data. It is worth noting that you do not always need consent in order to process personal data, provided that you can demonstrate you have another lawful ground for processing it – for example, where processing is necessary for the purposes of your agency’s legitimate interests (provided that those interests are not overridden by the rights of the individuals whose personal data are being processed). Consent has no more – or less – weight as a lawful means of processing than any of the other five means set out in the GDPR, including legitimate interests.

What do you actually need to do?

Consent is relevant for a range of processing activities. However, it is particularly relevant in a direct marketing context. In most cases, agencies will not be conducting direct marketing for their own purposes but may instead be assisting clients with their direct marketing activity. In these cases, the responsibility for obtaining sufficient and appropriate consent will sit with the client (as the data controller) as opposed to your agency (as the data processor).

To the extent your agency does obtain consent to process personal data for your own purposes, you will need to review how you seek, record and manage consent. It is not necessary to automatically refresh all consents which were obtained under current data protection law in preparation for the GDPR. However, if you are relying on individuals’ consent to process their data in certain situations, it is important to make sure that the consent you have obtained either meets the GDPR, or if not, you alter your consent mechanisms and seek fresh GDPR-compliant consent (sometimes referred to as “re-permissioning”), or find an alternative to consent. Re-permissioning exercises must be approached with extreme caution as they are very high on the ICO’s agenda and have led to fines for businesses who have attempted to conduct a re-permissioning but have failed to do so in accordance with current data protection law.

How can the IPA help?

The IPA webinars give further guidance as to how to obtain consent under the GDPR. At this stage the IPA has not published any template consent notices for agencies to use because of the range of situations in which they might apply and the variety of forms consent mechanisms can take. However, the IPA may publish further guidance in this area in due course.

In the meantime, you should refer to the ICO’s draft consent guidance which explains how to obtain valid consent under the GDPR. It is important to note that, as at the date of this IPA Guidance, the ICO’s consent guidance is currently in draft form (the IPA responded to the ICO’s questionnaire on the draft) with an updated version due to be published later in 2017. It is therefore possible that the guidance regarding consent may change, although the ICO has commented that it is unlikely material changes will in fact be made.