GDPR Consent Guidance Published by the UK ICO

The United Kingdom Information Commissioner’s Office (UK ICO) released guidance on consent as a legitimate means of processing under the European Union (EU) General Data Protection Regulation (GDPR). We broke down the guidance into this executive summary of consent action items.

Consent Checklist

The consent checklist in the UK ICO guidance is perhaps the most helpful piece of information, though we will highlight other useful information below as well. The consent checklist provides a process for examining your existing consents and determining whether or not you need to seek fresh consent under GDPR; it will also help you prepare fresh GDPR-compliant consent if necessary. See the full checklist here.

Improper Consent Fines

GDPR Article 6(1) requires a lawful basis for processing personal information, and the basis must be documented. Consent is one of the legitimate bases for processing. Infringement of the basic processing principles in GDPR, including improper use of consent, can lead to the highest penalty (4% of global turnover or €20 million) under the GDPR.

Getting Consent Right

 Beyond the checklist, the UK ICO guidance provides a number of ways to get consent right, including:

  • Obtain positive opt-in (not pre-ticked boxes or any other default)
  • Keep consent separate from other terms and conditions
  • Be specific and granular
  • Name any third parties who will rely on the consent
  • Keep evidence of consent (who, when, how, and what you told people)
  • Avoid making consent a precondition of service