The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Raising The Bar – Consent Under The GDPR

GDPR Compliance
23 May 2018 | Updated 25 May 2018

Straight from the horse's mouth, Steve Wood, Deputy Information Commissioner, writes for ThisWeekinFM on the topic of 'consent', how to get it and what to do with it.

We’ve already tackled some myths around consent when it comes to the General Data Protection Regulation (GDPR) and you’ll be pleased to hear we’ve now published our final detailed guidance on consent to help you on your GDPR journey - see the ICO website. This follows the guidance issued by the European Group of Data Protection Authorities, the Article 29 Working Party.

(Editor's note - if you are looking for accurate, informed, unbiased and comprehensive information on GDPR or the Privacy & Electronic Communications Regs, the ICO website is the place to go.)

From marketing agencies, to clubs and associations, to local authorities, consent has been a hotly debated topic.

Some of the myths we’ve heard are, 'GDPR means I won’t be able to send my newsletter out anymore' or 'GDPR says I’ll need to get fresh consent for everything I do'.'

I can say categorically that these are wrong - but if misinformation is still being packaged as the truth, I need to bust another myth.


Myth #9 We have to get fresh consent from all our customers to comply with the GDPR.

You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.

Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.


Existing Data Protection Act

It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place and the consent would not have met the standard under our existing Data Protection Act.


Email asking for consent

We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.

If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.

Organisations risk non-compliance if their emails are difficult to follow and key information is lost at the end of long text – people must clearly understand what they are consenting to.


Being open and transparent is key a component of the GDPR and the ICO has provided guidance on informing people about how their data is used.

Before sending emails, consider what the most effective way is to reach your customer – it may not be email. Consider a data protection by design approach – where can this information be embedded to have the best impact.

Some have said that they will lose customers by bringing their consents to the GDPR standard. I say you will have better engagement with them and build customer trust.

Our research found that only one fifth of the UK public (20%) have trust and confidence in companies and organisations storing their personal information.


As the Commissioner said in her blog ‘consent is not the ‘silver bullet’ for GDPR compliance’ consent is one way to comply with the GDPR but it’s not the only way.

Scaremongering about consent still persists but the headlines often lack context or understanding about all the different lawful bases organisations could use for processing personal information under the GDPR.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you start. There are six lawful bases available for you to choose from. No single basis is ’better’ or more important than the others – which one is most appropriate will depend on your purpose and relationship with the individual.

You know your organisation best and the purposes that you are processing personal data for. But there is help available – we have lots of guidance and resources on our website including our lawful basis interactive guidance tool that gives tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.


Marathon not a sprint

If your organisation is still on their journey to GDPR compliance you should continue with your efforts (preferably before the law takes full effect on 25 May) but remember that this date is the start and not the end of GDPR compliance. Organisations need to sustain their compliance processes over time – this is the best way to take people with you on your business journey.

Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice.

Article written by Steve Wood | Published 23 May 2018


Related Articles

Gangsters' Paradise Leads To Jail Terms For Business Phishing Scam

Gangsters who altered business emails to rip-off more than £1 million have gone to jail. Two members of the Nigerian organised crime group who committed the fraud...

 Read Full Article
Two Million Fleet Drivers To Revalidate Driving Licence Data Consent

There are over two million drivers who will have to revalidate their driving licence data consent, writes Malcolm Maycock, Chair of the ADLV. Whilst this is a mammoth...

 Read Full Article
Are You Ready For Business Change?

Andrew Carwardine offers 7 Steps to Change & Put Process Back On The Agenda. Thanks to GDPR, processes are back on the agenda but why the wait? Shouldn't we...

 Read Full Article
GDPR - No Confidence In Compliance. Mobile Workers Are Biggest Hazard

Most companies are not confident of being fully compliant ahead of the GDPR deadline with the biggest fear being the loss of data on laptops and other mobile...

 Read Full Article
Denial Of Service Costs Escalate

A DNS Threat Report has revealed the cost per attack has increased by 57% to $715,000 for organisations globally. EfficientIP, a specialist in DNS security to ensure...

 Read Full Article
Crown Prosecutions Service Prosecuted - And Other GDPR-type Convictions

You could hardly make it up but the Crown Prosecutions Service has been fined after losing victim interview videos - PLUS a variety of convictions including a...

 Read Full Article
Is BYOD Creating A GDPR Risk For Your Business?

Does your Bring Your Own Device (BYOD) stance have the potential to create risks relating to data protection or breaches, as a result of staff using a single smartphone...

 Read Full Article
GDPR - What A Scam

GDPR has gifted scammers with a new hook for sending phishing emails. Many internet users are now receiving emails from organisations that they have online dealings with,...

 Read Full Article
Human Error Could Cost UK Businesses Up To €20 Million

Over three-quarters of British businesses say that a proportion of inbound mail and communications is incorrectly allocated due to physical handling, creating an...

 Read Full Article
Malicious Intent Is Biggest Threat to Personal Data

A social media poll has found that sixty-five per cent of respondents believe that humans pose the biggest threat to their personal data rather than cyber...

 Read Full Article