The EU General Data Protection Regulation (GDPR), which takes effect in May 2018, will require companies to reassess their mechanisms for obtaining, tracking, and verifying individuals' consent. Companies will need clear and more granular opt-in methods, good records of consent, simple and easy-to-access ways for people to withdraw consent, and will need to identify third parties with whom they share personal data. This is the main message from the guidance recently issued by the Information Commissioner's Office (ICO), the United Kingdom's data protection authority.
The guidance on consent under the GDPR is the first piece of detailed, topic-specific GDPR advice issued by the ICO, which will accept feedback until the end of the month.
Under existing EU Data Protection Direction as well as the UK's Data Protection Act, consent has long provided companies with a lawful basis for processing personal data of individuals. The GDPR, however, imposes additional requirements, making its use more challenging.
Under the GDPR, relying on invalid or inappropriate consent could leave companies open to substantial fines of up to 20 million euros, or 4 percent of its total worldwide annual turnover, whichever is higher.
Companies that use consent as the lawful basis for processing personal data should review their consent mechanisms to ensure they comply with the stricter GDPR requirements. Specifically, the ICO recommends that companies ensure that the consents they obtain meet the following standards:
Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a condition of signing up for a service unless it is required for that service.
Active opt-in: Pre-ticked opt-in boxes are invalid. Instead, use unticked opt-in boxes or similar active opt-in methods (for example, a choice between two equally prominent options).
Granular: Give granular options to consent separately to different types of processing wherever appropriate.
Named: Name your organization and any third parties who will be relying on consent—even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
Documented: Keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. Simple and effective withdrawal mechanisms should be used.
No imbalance in the relationship: Consent will not be freely given if there is imbalance in the relationship between the individual and the controller. For example, public authorities and employers should look for an alternative lawful basis.
The ICO also noted that while all existing consents need not be "repapered" in preparation for GDPR, those consents that do not meet the GDPR's standard and/or are poorly documented should be obtained again to ensure compliance. The ICO provided a consent checklist to help companies with this assessment.
The ICO recommends that data processors assess whether consent is the most appropriate lawful basis for processing, or whether other options such as "necessary for the performance of a contract" or "legitimate interests" of the company would be more fitting. The appropriate lawful basis should be flagged at the outset. If a company would still process the personal data on a different lawful basis even if the individual's consent were refused or withdrawn, then seeking consent from the individual would be misleading and inherently unfair.
The ICO noted in a blog post that it intends to finalize and publish this guidance in May 2017, though this timeline could be affected by further developments at the EU level. The organization also stated that it plans to issue a call for evidence to obtain knowledge of what technical solutions are available for obtaining and managing consent to better help organizations that use data. The ICO will be very active in the coming months in providing guidance for companies to prepare for the GDPR.
Ballard Spahr's Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors. Our attorneys regularly work with multinational companies on structuring and properly documenting their cross-border data transfers. We also assist in drafting privacy policies, third-party vendor agreements, and information security policies and procedures as necessary to comply with the requirements of the GDPR and the EU–U.S. Privacy Shield.
Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.