Information Commissioner’s Office publishes guide to GDPR

The Information Commissioner’s Office (ICO) has published its “Guide to the General Data Protection Regulation”, which includes sections on using consent to process personal data, contracts and possible liabilities.

The guide replaces the ICO’s previous document, Overview of the GDPR, and expands previously published sections on contracts and on liabilities for organisations under GDPR.

The new guide includes checklists for organisations seeking to process data lawfully using consent. These checklists include “asking for consent”; “recording consent” and “managing consent”.  The guide also sets out what the ICO consider “valid consent”. The guide defines this as being “freely given”, and specifically says that it must “cover the controller’s name, purposes of the processing and the types of processing activity” and must be “expressly confirmed in words, rather than by any other positive action”.

It says organisations using consent to process data must make such a request “prominent, concise, separate from other terms and conditions and easy to understand”. It also says that organisation using consent must “ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or default settings”.

The guide also recommends that organisations “keep consents under review and refresh them if anything changes”. It also suggests building “regular consent reviews into your business processes”.

The updated sections of the guide can be read on the ICO’s website. GDPR is set to come into operation on 25 May 2018.

November 28, 2017


Comments are closed.