Just say yes! The ICO’s guidance to Consent under the GDPR

As you are probably aware consent is, under current UK Data Protection law, one of the most widely used grounds for the lawful processing of personal data. The definition and role of consent introduced in the General Data Protection Regulation (GDPR), which comes into force in under a year, remains fairly similar to that under the current regime, however the regulation introduces a new higher standard for consent. This standard involves offering people a genuine choice and control over how their personal data is used.

The biggest change introduced with the GDPR is in the practice for consent mechanisms. Clearer and more granular opt-in methods, meaning consents must be unbundled from other terms and conditions, good records of consent and simple easy-to-access ways for people to withdraw consent will all be needed.

These changes are welcomed in light of the various stories which have recently surfaced in relation to a number of high profile charities being fined for breaches of the Data Protection Act 1998.

This means you may have to change your data protection policies, methods of obtaining consent and even obtain new consents for the individuals whose personal data you already process.

What’s the story so far?

In December 2016, the RSPCA and the British Heart Foundation were fined £25,000 and £18,000 respectively for secretly screening millions of their donors, using their personal data in an effort to target them for more donations.

The two charities used three different methods in failing to handle donors’ personal data without consent in a manner consistent with that of the Data Protection Act 1998.

Wealth Screening

Both charities employed wealth management companies to investigate the financial status of the charity supporters. This information included the names, dates of birth and the value and date of the last donation and gave the charities an estimation of how much more money the supporters could be persuaded to give.

The RSPCA admitted that it has repeatedly wealth screened all of its supporters without obtaining their consent. The British Heart Foundation told the ICO that it had been screening donors between 2010 and 2014 and that it had also provided records to wealth screening management companies containing personal data of several million people without their consent.

Data and Tele-matching 

The data and tele-matching practice involved the charities hiring companies to find out personal information that was not provided by the donors. The companies used existing data to trace new information without the donor’s consent.

Data Sharing

Both the RSPCA and the British Heart Foundation were part of a scheme called “Reciprocate” where they could share or swap personal data with other charities to receive information and details of prospective donors they could target.

The ICO found that both charities gave donors the chance to opt out for their data to be shared with “similar organisations”, however this description was found to be too vague and did not provide donors with enough information to make an informed decision of whether to opt out.

Recent Developments

Following the RSPCA and British Heart Foundation stories, the ICO has recently issued eleven charities with monetary penalties for misusing donor’s personal data under the Data Protection Act.

After further investigations the ICO found that a number of charities has secretly screened millions of donors in attempts to target them for additional charity funds. Amongst the list of charities fined were Cancer Research UK (£16,000), Macmillan Cancer Support (£14,000) and Great Ormand Street Hospital Children’s Charity (£11,000).

The eleven charities fined for data protection offences had either traced and targeted new donors by piecing together information from other sources or traded personal details with other charities, without the donor’s consent, creating a large pool of donor data for sale.

Following investigations, the ICO exercised its discretion in reducing the fines considerably after taking the risk of adding distress to the donors who had been targeted by the charities into consideration. The ICO has scrutinised the activities undertaken by the charities and has issued guidance going forward to reflect a more dynamic idea of consent.

What do you need to do? 

Following on from the ICO’s decisions, the new guidance on consent is an important step in building customer trust and organisations will need to review their consent mechanisms to make sure they meet the new GDPR requirements. There is now a lot more clarity around what data controllers need to do in terms of data collecting.

In particular organisations will need to make sure they follow the following key points when gathering personal data:

1. Consent requests must be kept separate from other terms and conditions and should not be a precondition of signing up to a service unless necessary for that service;
2. Active opt-in boxes should be used as pre-ticked opt-in boxes are invalid;
3. Granular options to consent must be given separately to different types of processing wherever appropriate for example, separate options to consent to e-mail, post, mobile telephone;
4. Organisations must be named along with any third parties who will be relying upon the consent;
5. Records must be kept to demonstrate what the individual has consented to including what they were told and when and how they consented;
6. Individuals must have the right to withdraw their consent at any time and must be told how to do this. There must therefore be a simple and effective withdrawal mechanism in place; and
7. Consent must not be freely given if there is an imbalance in the relationship between the individual and the controller.

It is imperative that where you process personal data you comply with the consent requirements under the GDPR. As we have seen the ICO has issued fines of up to £25,000, however this pales in comparison to the potential fines of €20 million or 4% of global annual turnover.

The negative publicity for failing to adequately handle personal data can also have a huge impact on your business, badly eroding trust and damaging the reputation of your organisation. This in the long run can be even more damaging than a fine to your business’s bottom line.

We are also hosting a seminar on the GDPR at Sixways Stadium, Worcester on the 8^th June, giving you an opportunity to get fully clued up on what you need to do to make sure you are compliant with the GDPR in time. We are excited to be running two sessions in the morning and afternoon and would be delighted if you would come along and hopefully learn a bit more about protecting your business from a data protection perspective.