Prior to the introduction of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) on 25 May 2018, the UK Information Commissioner’s Office (“ICO”) has published a Guide to the GDPR in order to explain its provisions and help organisations comply with its requirements. This guide replaces the ICO’s previous document (“Overview of the GDPR”) and expands (amongst other things) on the subjects of consent to process personal data, contracts and potential liabilities.
Described by the ICO as a “living document”, it is still very much a work in progress and will be used as a framework on which to build upcoming GDPR guidance and reflect how future GDPR guidance will be presented. The new guide incorporates sections of the GDPR itself, other ICO guidance, and guidance produced by the EU’s Article 29 Working Party while also producing a number of tools to aid organisations in their preparations for the GDPR, including a “Getting ready for the GDPR checklist” and “12 steps to take now”.
The main updates introduced by the new guidance are:
- Consent – The new guide confirms that while the GDPR sets a high standard for consent, the biggest change will be to the practice of consent mechanisms. For this reason, the new guide has provided checklists for organisations to follow including “asking for consent”, “recording consent” and “managing consent”. It expands on what valid consent is and states that it must include the controller’s name, purposes of the processing and the types of processing activity as well as offer a genuine choice. It also differentiates between consent and explicit consent in that explicit consent must be “expressly confirmed in words, rather than by any other positive action”, banning the use of pre-ticked opt-in boxes. Public authorities, employers and other organisations in a position of power over individuals are advised to avoid relying on consent as it is unlikely to be freely given. The guide goes on to recommend that organisations “keep clear records to demonstrate consent” and that these records be reviewed and refreshed following any change.
- Contracts – The new guide also expands on the relationship between data controllers and third parties stating that whenever a data controller uses a processor, the controller must have a written contract in place. Further, a controller must only appoint processors who can provide sufficient guarantees that they will meet the requirements of the GDPR and adequately protect the rights of data subjects. Similarly, if a processor employs another processor it needs to have a written contract in place. The guides suggests that using a processor which adheres to an approved code of conduct or certification scheme may help controllers satisfy such requirements in the future. While the guide hints that the European Commission or the ICO may provide standard contract clauses in the future (forming part of certification schemes), no such clauses have been drafted at present.
- Liabilities – The above expansion on contract requirements is coupled with clarification on what this means for liabilities. If a processor fails to meet any of the above obligations, or acts outside or against the instructions of the controller, then the guide confirms that it may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures. If a processor uses a sub-processor then it will also, as the original processor, remain directly liable to the controller for the performance of the sub-processor’s obligations.
Comment
This is the latest step by the ICO towards expanding on the GDPR to help organisations comply with its requirements, with a promise to publish “more detailed guidance on some topics” in the future.
For further guidance on the points discussed in this article or for any other advice on the GDPR and its implementation, please contact Alan Nelson, Duncan Turner or Jennifer Barr.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.