The latest GDPR guidance to emerge from the Information Commissioner’s Office has serious implications for companies both using and managing third-party data, beefing up existing laws to rule that personal information can only be shared with named companies.
The move builds on from the September 2015 First-Tier Information Rights Tribunal ruling against Optical Express, in which the use of third-party information was effectively outlawed unless it can be proved prospects have opted in to receive marketing from “other” brands.
This forced Callcredit Information Group to overhaul one of its biggest customer databases by rebuilding the Define file, following fears the data could fall foul of laws on consent.
Now it seems, the ICO is getting even tougher, although this is only draft guidance and is out for consultation; companies have until March 31 to respond.
The guidance also warns brands that “if existing consents don’t meet the GDPR’s high standards or are poorly documented”, marketers will need to seek “fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing”.
Speaking about the guidance, DMA Group chief executive Chris Combemale said: “The ICO has given greater clarity as to when and how consent should be the basis for processing data and highlighted the other five legal bases for data processing, including legitimate interest.
“The DMA fought extremely hard to have direct marketing acknowledged as a legitimate interest in the GDPR and we are pleased the ICO Guidance draws attention to legitimate interest as an alternative to consent within certain clear frameworks.
“The DMA also welcomes the section that clarifies how long consent lasts. We have argued for some time that how long consent lasts depends on the context which is clearly stated in the guidance. At the same time we have concerns around some of the specific guidance around consent and will share our views robustly during the consultation period,” he said.
In the guidance, the ICO lists the main changes that marketers will need to consider:
* Unbundled: asking for consent should be separate from other terms and conditions so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
* Active opt-in: the GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
* Granular: where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to.
* Named: always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations the data will be shared with need to be named.
* Documented: maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
* Easy to withdraw: individuals should be easily able to withdraw their consent. Organisations must put in place simple and fast methods for withdrawing consent. Tell individuals about their right to withdraw consent.
* No imbalance in the relationship: This point is less relevant for marketing but consent should be freely given and where this is a power imbalance between an organisation and an individual this will be hard to achieve. For example, the relationship between an employer and employee is an obvious power imbalance.
The ICO points out that the draft guidance is subject to change owing to developments in the EU. The Article 29 Working Party, which will become the European Data Protection Board, could have a different interpretation to the ICO which may mean the guidance will be revised.
On page 11 of the guidance the ICO points out that consent is not the only legal grounds to process personal data, and if consent is difficult to use then an organisation should consider using different legal grounds.
The DMA is now gathering feedback from the industry as part of the ICO’s consultation and says it welcomes any comments.
Dogs Trust signs deal to secure GDPR compliance
Data consent ruling rocks industry
Ten crucial steps to tackle GDPR compliance anxiety
Final data countdown: 16 months to save your business
Read it and weep: ICO offers latest GDPR guidance
Consumers back GDPR to make their data safer
7,000 data protection officers needed for UK firms
EU data reforms: the top 5 issues for marketers
Callcredit relaunches Define after 8-month revamp
Callcredit suspends 46m file after consent ruling