The Information Commissioner’s Office (ICO), has published its final guidance on consent as a lawful basis for processing personal data under the General Data Protection Regulation (GDPR). I find this is an area that is causing particular confusion for small business owners, and this guidance should assist greatly in clarifying a few of the grey areas.
This guidance should be read with the ICO Guide to the GDPR. It considers:
- Why consent is important;
- What is valid consent;
- A summary of the main differences between consent under the Data Protection Act 1998 (DPA 1998), the GDPR and the Data Protection Bill 2017-19;
- When consent is appropriate;
- How should consent be obtained, recorded and managed.
In addition, the European Commission has published a document aimed at smaller businesses that do not handle data as a core business activity i.e. those that mainly process data concerning their employees and clients. This document entitled: Seven steps for businesses to get ready for the General Data Protection Regulation, provides useful information on informing customers, employees and other individuals when their data is being collected, and it offers guidance on data retention periods.