The ICO has published its second piece of draft guidance on the new General Data Protection Regulation (“GDPR”), this time on consents.
The GDPR sets a high standard for consent and organisations will need more granular opt-in methods; they will also need to keep records of consent and provide simple ways for individuals to withdraw their consent. The guidance explains the GDPR requirements in more detail, including:
- Obtaining consent – what is required in order to have valid consent under the GDPR and likely issues
- Deciding when to obtain consent – consent needs to be capable of being withdrawn, so it may be appropriate to rely on alternative bases for processing instead of consent in some circumstances
- How to record consents – how to keep an audit trail of how and when consent was given
- Managing consents – keeping consents under review and how to enable individuals to access and update their consent settings
The Article 29 Working Party is also expected to publish European-level GDPR consent guidance later this year.