ICAEW.com works better with JavaScript enabled.

New guidance: Draft guidance published on how to obtain individual's consent to use of their data under the GDPR

Organisations will welcome new draft guidance, Consultation: GDPR consent guidance, published by the Information Commissioner's Office (ICO), which deals with how to lawfully obtain an individual's consent to processing of their personal data under the new General Data Protection Regulation (GDPR).

Legal Alert

This update was published in Legal Alert - April 2017

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.

The GDPR is an EU Regulation that should strengthen and unify data protection for individuals within the EU, and will regulate the export of personal data outside the EU. The expected introduction date is 25 May 2018. Its aim is to give citizens control over their personal data and simplifying the regulatory environment for international business. It will replace the UK's current data protection laws.

As it is an EU Regulation the GDPR has direct effect (there is no need for enabling UK law). It will come into force while the UK is still in the EU, given that Brexit is some years away yet.

Much of the new law will be the same as existing UK data protection law but there are major differences. Businesses should start to think about necessary changes now, and take preliminary preparatory steps.

One of the differences relates to the way organisations obtain consent from individuals to use or otherwise process their personal data under the GDPR compared to existing UK law. For example, pre-ticked boxes, blanket or non-specific consents, and mere acknowledgements by users that their data may be used will no longer be sufficient.

The Government has now completed a short consultation on the draft guidance and has not yet responded to consultees. Separate guidance on this topic has yet to be issued by the Article 29 Working Party (an EU body made up of European Data Protection Regulators). The final form of the ICO guidance may therefore change.

However, data processors and controllers in UK companies will be better equipped to understand and act on the final ICO guidance (and the Regulations generally) if they are familiar with the current draft. The final ICO guidance is due to be published in May 2017.

Operative date

  • Now

Recommendation

Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.