The UK's data protection watchdog has published new guidance on consent under the GDPR, which will apply from 25 May.
The ICO's guidance explained how, under the GDPR, rules on consent to data processing have been updated from those that have applied under the Data Protection Act.
The ICO said: "The key elements of the consent definition remain – it must be freely given, specific, informed, and there must be an indication signifying agreement. However, the GDPR is clearer that the indication must be unambiguous and involve a clear affirmative action."
"In essence, there is a greater emphasis in the GDPR on individuals having clear distinct (granular) choices upfront and ongoing control over their consent," it said.
The ICO highlighted new record-keeping duties that require organisations to document the consent they obtain, as well as further rules that require consent requests to be displayed clearly and prominently to data subjects. It also flagged new rights that data subjects will have to withdraw their consent at any time, as well as rules that prohibit businesses from requiring consumers' consent as a condition of a contract.
Consent is just one of six lawful basis for processing personal data under the GDPR. The ICO explained that there are benefits for businesses that rely on and adhere to the new consent rules.
"Basing your processing of personal data on GDPR-compliant consent means giving individuals genuine choice and ongoing control over how you use their data, and ensuring your organisation is transparent and accountable," the ICO said. "Getting this right should be seen as essential to good customer service: it will put people at the centre of the relationship, and can help build confidence and trust. This can enhance your reputation, improve levels of engagement and encourage use of new services and products. It’s one way to set yourself apart from the competition."
However, the ICO also pointed out that organisations that rely on consent will be responsible for respecting rights of individuals that the GDPR ties to that basis of processing, such as individuals' qualified right to require the erasure of data about them and the right to data portability.
Claire Edwards, a specialist in data protection law at Pinsent Masons, the law firm behind Out-Law.com, said: "As the ICO itself puts it in its guidance, consent will not always be 'the most appropriate or easiest' legal basis on which to rely on for processing personal data. Organisations should therefore consider alternatives to consent where possible – often they might find that they have a legitimate interest in processing the data and that they are able to pursue those interests by law without the need for consent."
"Consent will continue to be required by organisations when they engage in direct electronic marketing activities, unless they fall within the soft-opt in rules under e-Privacy regulations, and it is likely that explicit consent will be required where organisations wish to process special categories of data, such as information about an individuals' health, sexual orientation or race." she said.
"Although the ICO is at pains to stress that the GDPR does not automatically require organisations to update the consents they have previously obtained, it does urge organisations to review their existing consents and consent mechanisms to ensure that they comply with the new Regulation – in this respect, it is worth highlighting that the use of pre-ticked boxes in online privacy policies will not constitute valid consent," Edwards said.
Steve Wood, deputy commissioner for policy at the ICO, said: "It’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent. Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent."
The ICO's consent guidance complements other consent guidance that a group of EU data protection authorities published late last year.
The Article 29 Working Party, of which the ICO is a part, said that businesses that review existing consents and find that they would be invalid under the GDPR will have a "one off" chance to continue with that processing if another legal basis for the processing applies.