Organisations do not need to automatically refresh all old consents but must check they meet the GDPR standard, the ICO has said in new guidance on the topic.
Where consents do not meet the GDPR standard, organisations must seek fresh GDPR-compliant consent, identify a different lawful basis for their processing, or stop the processing.
This is the ICO’s final guidance on consent ahead of 25 May according to a blog on the subject by Deputy Information Commissioner Steve Wood, and sits alongside its Guide to the GDPR with more detailed, practical guidance for UK organisations on consent under the GDPR.
As well as ‘busting the myth’ that fresh consent must automatically be obtained from all contacts, it aims to help organisations decide when to rely on consent for processing and when to look at alternatives, explaining what counts as valid consent, and how to obtain and manage consent in a way that complies with the GDPR.
The guidance also sets out how the ICO interprets the GDPR, and its general recommended approach to compliance and good practice.
It says that under GDPR, consent must be ‘freely given, specific, informed, and there must be an indication signifying agreement.:” In addition ‘the indication must be unambiguous and involve a clear affirmative action.’
Organisations must also ensure they tell people that they have the right to withdraw their consent, and have mechanisms in place to enable people to do so easily. The guidance also covers key changes that organisations must make to ensure their consent mechanisms are GDPR compliant.
These include ensuring consent requests are separate from other terms and conditions and not a precondition of signing up to a service unless necessary for that service, that opt-in is active (no pre-ticked opt-in boxes), and that distinct options to consent separately to different types of processing are given wherever appropriate.
Get free email updates
Keep up to date with fundraising news, ideas and inspiration with a weekly or daily email. [Privacy]