U.K. Privacy Office to Issue Consent Standard Guidance

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

The U.K. privacy office will issue guidance the first week of March for companies on obtaining consent from consumers to use their data, Information Commissioner Elizabeth Denham announced Feb. 24.

The Information Commissioner’s Office guidance on preparing for the European Union’s new General Data Protection Regulation (GDPR) privacy regime will represent “a toughening up on the rules around consent,” Denham said.

In order to be legally sufficient, consent “will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data,” she said. A check the box approach won’t be sufficient to show valid consent, Denham said.

If Parliament debates amending U.K. law to conform to GDPR requirements after Brexit, the ICO “will be banging our drum for continued protection and rights for consumers and clear laws for organizations,” Denham said. Complying with GDPR after Brexit makes sense, she said.

Denham gave her first keynote address at the Direct Marketing Association’s annual Data Protection event in London since she took over as the U.K.’s privacy chief July 2016. A Canadian, Denham was previously British Columbia’s information and privacy commissioner.

Guidance on Profiling, DPOs

The ICO also plans to publish GDPR-relevant guidance on individual profiling once the Article 29 Working Party of data protection officials from the 28 EU countries has completed updating its profiling guidance, Denham said.

Referring to the ICO’s guidance on GDPR in general, she said it will be “a living document, with text added on different points as more guidance is produced.” This will include “links to guidance produced alongside our counterparts in Europe, as and when that is ready, including documents around aspects like data portability and the role of data protection officers” she said.

Denham assured businesses that the ICO “will not be investigating every data breach” to enforce the mandatory data breach notification requirement under the GDPR.

When a company “reports a breach, if we know it can demonstrate good processes and prove that this was a gap, we will take note and monitor,” she said. The ICO’s tighter focus will on those businesses “who don’t have their accountability act together.”

Ardi Kolah, program co-director at Henley Business School at the University of Reading in the U.K., advised businesses not to “just wait for guidance”. For instance, on how to act on providing proper consent, companies should not “hide behind terms and conditions” but “take responsibility and think about how they are connecting to customers.”

Role of GDRP Post-Brexit

Denham raised questions about the future of GDPR once the U.K. formally leaves the EU—a process that will take place after the GDPR comes into effect May 25, 2018.

Although the government has “made it clear that EU law will remain U.K. law until the government sees fit to repeal it,” she said, “it’s possible that in the years after the U.K. leaves the EU, Parliament will debate amending the requirements of the GDPR.”

In that event, the ICO would “will be banging our drum for continued protection and rights for consumers and clear laws for organizations,” Denham said.

The government “will also need to answer the question about whether the U.K. will seek to keep the U.K.'s data protection law at an equivalent standard to the EU, to allow unrestricted data flows with EU countries,” she said. Stressing the U.K.'s need for “strong data protection laws to achieve all that,” Denham said she couldn’t foresee the rules on consent or marketing “being loosened.”

Denham also defended the need for updating existing U.K. privacy laws. “The world has changed a lot since 1995, not only technology, but your own business models, people’s attitudes to their data, their demand that their information is properly looked after,” she said. “The law needed to change too.”

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security