The Information Commissioner in the UK has drafted guidelines for what businesses and organisations handling personal data will need to do to comply with the new GDPR out for consultation.
In the draft guidance, the ICO notes that: “The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data.
“When consent is used properly, it helps you build trust and enhance your reputation.”
The draft guidance’s key points include:
• Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
• Consent means offering individuals genuine choice and control.
• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and granular. Vague or blanket consent is not enough.
• Be clear and concise.
• Name any third parties who will rely on the consent.
• Make it easy for people to withdraw consent and tell them how.
• Keep evidence of consent – who, when, how, and what you told people.
• Keep consent under review, and refresh it if anything changes.
• Avoid making consent a precondition of a service.
Overall, the draft guidance sets out how the ICO interprets the GDPR, key changes from existing data protection regulation, and its general recommended approach to compliance and good practice.
But it is also clear that the guidance will need to evolve both to take account of future guidelines issued by relevant European authorities, and according to experience once the law is in place from May of next year.