On the 3rd March, the ICO released their long awaited draft guidance on the rules for Consent under the GDPR which will fully come into effect in May 2018. Their guidance notes are a consultation piece and the ICO have extended a deadline until 31st March to receive comments and feedback on the guidance.
Consent, particularly for direct marketers, forms a key component of the changes under the new data protection legislation and so understanding this will be vital in terms of future strategy over how personal data is collected and processed.
In effect, the definition of consent under GDPR isn’t wildly different to the existing one under the Data Protection Act although it does contain more detail. The main changes affect the way you collect consent and the mechanisms for storing and updating this consent. There is greater emphasis on having clear, granular choices up front and control over their consent moving forwards.
One thing to note at this stage; there are 6 lawful bases listed within GDPR for processing personal data. Consent is one of them. One of the others is Legitimate Business Interest and there are several references to this within the guidance notes as an alternative to consent.
Under GDPR, direct marketing is acknowledged as a legitimate business interest and so marketers will increasingly be relying on this as a grounds for processing personal data rather than on consent. For some channels of communication, such as electronic (email, SMS etc.), you will have no option but to gain consent as these are covered under the ePrivacy laws (PECR). However, for other channels, including direct mail, you can rely on legitimate business interest (assuming you meet their criteria) which can still be collected under an ‘opt-out’ mechanism.
I feel that the ICO also need to issue clear guidance on legitimate business interest as a grounds for processing personal data alongside the consent guidance in order for companies, particularly direct marketers, to be able to differentiate between the two. Otherwise I suspect many will read the consent guidance notes and feel that these need to apply to all the activity they do. There is still a lack of clarity on this point for direct marketers.
Another consideration, for the charity sector specifically, is that these guidance notes need to be taken into account alongside the recently published ‘Personal Information and Fundraising Consent, Purpose and Transparency’ guidance notes issues by the Fundraising Regulator. While this report.