This past December, the Information Commissioner’s Office (ICO) updated its existing General Data Protection Regulation (GDPR) consent guidance to include the new Article 29 Working Party (Art. 29 WP) clarifications. The Art. 29 WP is an advisory body made up of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission. The Art. 29 WP published its consent guidance to clarify GDPR consent and make it easier to comply.
Even though the GDPR will come into force on 25 May, the ICO’s consent guidance may yet again change as Parliament works on enshrining the GDPR into UK law in the form of the Data Protection Bill. What’s more, while the guidance introduced by Art. 29 WP is not radically different, your organisation must stay abreast of any new adjustments to ensure compliance.
- If your organisation collects any personal data, your consent must meet the following GDPR standards:
- Unbundled — Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.
- Active opt-in —You cannot use pre-ticked opt-in boxes.
- Granular —Provide options to individuals to consent to different types of processing.
- Named —Provide the name of your organisation and any third parties that will be relying on their consent.
- Documented —Keep records that demonstrate what the individual has consented to, what they were told, and when and how they consented.
- Easy to withdraw —Inform individuals that they have the right to withdraw their consent at any time and explain how to do that.
- No imbalance in the relationship —Consent will not be freely given if there is an imbalance in the relationship between the individual and your organisation.
For more information on protecting your organisation with vital cyber-insurance and ensuring continued GDPR compliance, contact Bond Lovis Insurance Brokers and ask for a copy of our in-depth checklist on obtaining consent under the GDPR.
- GDPR Compliance Timeline
- Phase 1 (2016-2017): Review IT systems and procedures, and check that your legal grounds for processing are legitimate.
- Phase 2 (January to May 2017): Identify your riskiest data processing activities and strengthen your protection.
- Phase 3 (June 2017 to January 2018): Review and update privacy policies and notices.
- Phase 4 (January to May 2018): Provide GDPR staff training.
- Phase 5 (Ongoing): Monitor compliance efforts, reassess and retrain.
Source of GDPR Compliance Timeline: The Market Research Society