New ICO Guidance to Help You Market Under the GDPR

Worried about marketing when GDPR comes into force this May? Obtaining consent  - by following these standards - is an important starting point.

This past December, the Information Commissioner’s Office (ICO) updated its existing General Data Protection Regulation (GDPR) consent guidance to include the new Article 29 Working Party (Art. 29 WP) clarifications. The Art. 29 WP is an advisory body made up of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission. The Art. 29 WP published its consent guidance to clarify GDPR consent and make it easier to comply.

Even though the GDPR will come into force on 25 May, the ICO’s consent guidance may yet again change as Parliament works on enshrining the GDPR into UK law in the form of the Data Protection Bill. What’s more, while the guidance introduced by Art. 29 WP is not radically different, your organisation must stay abreast of any new adjustments to ensure compliance. If your organisation collects any personal data, your consent must meet the following GDPR standards:

  • Unbundled—Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.
  • Active opt-in—You cannot use pre-ticked opt-in boxes.
  • Granular—Provide options to individuals to consent to different types of processing.
  • Named—Provide the name of your organisation and any third parties that will be relying on their consent.
  • Documented—Keep records that demonstrate what the individual has consented to, what they were told, and when and how they consented.
  • Easy to withdraw—Inform individuals that they have the right to withdraw their consent at any time and explain how to do that.
  • No imbalance in the relationship—Consent will not be freely given if there is an imbalance in the relationship between the individual and your organisation.

For more information on protecting your organisation with vital cyber-insurance and ensuring continued GDPR compliance, start by running through our in-depth checklist on obtaining consent under the GDPR.