What the ICO guidance on GDPR says, and what we think about it

Since the Information Commissioner’s Office (ICO) announced its plans for general data protection regulation (GDPR) guidance earlier this year, I have no doubt that fundraisers and those involved in direct marketing in charities have been waiting with bated breath to see what the ICO’s interpretation of the new regulation is, and what it will require.

The first piece of detailed guidance was published at the start of March for a four-week consultation, and focuses on consent under the GDPR.

It’s not just about fundraising

As Kristy Weakley at Civil Society rightly says, while the GDPR has mostly been at the top of fundraisers’ agenda, the changes won’t just apply to fundraising. They will apply to all pieces of personal data collected, processed and stored: so also to marketing, campaigning, communications, volunteering and beneficiary databases.

When an individual’s personal data is collected, processed and stored in any of these activities, the GDPR requires ‘freely given, specific, informed and unambiguous consent’ indicated ‘either by a statement or by a clear affirmative action’.

The basic concept of consent, and its main role as a lawful condition for processing, is not new. However the GDPR does set a higher standard for consent, building on the Data Protection Act in a number of areas.

What the GDPR says: a higher standard for consent

Consent under the GDPR will need to meet the following requirements:

Unambiguous

There must be an unambiguous indication of the individual’s wishes: in practice this means that the way consent is collected should leave no room for doubt about the person’s agreement to their personal data being processed. This may be relatively straightforward to achieve where consent is being sought for a single processing activity, such as signing up to receive a newsletter, but will potentially be harder to demonstrate where the personal data collected is to be processed for multiple purposes.

Affirmative action

The person must take an action, and that action will have to be a clear indication of consent. This is why as a short hand many talk about ‘opt in’. The GDPR text doesn’t refer to opt in, because the affirmative action required can be more than just ticking a box, such as for example making a statement. But it’s fair to say that the use of ‘implied consent’ will no longer be acceptable.

Freely given

There must be ‘genuine free choice’. So it will no longer be possible to make access to a service conditional on the person giving their consent.

Yesterday for example I wanted to access an infographic from a website (ironically, the infographic was about consent under the GDPR and the steps organisations should take to achieve it) but when I clicked on the link I was told that I had to provide my email address, with a statement saying ‘by entering your email, you let us know you are happy for us to share relevant information with you’ and no option for me to refuse. Obviously I decided to not enter my address and have not been able to access the infographic – but I am probably not missing out on precious advice given this approach, which is precisely the one that the GDPR will ban.

Specific

Consent has to be separate and distinguishable for each purpose for which it is given, and it must cover all the processing activities carried out,. Where processing has multiple purposes, consent must be given for all of them.

This means for example that if an individual signs up to receiving a newsletter and the  organisation wants to share that  individual’s data with third parties for marketing purposes, it will need specific consent both to send the newsletter and to share the data.

Informed

Being informed means knowing about all the different purposes of processing, and knowing the identity of the data controller, as a bare minimum.  It also means being informed of the relevant rights, such as the ability to withdraw consent or object to some types of processing.

Evidenced

Another condition for consent to be valid is that the controller must be able to demonstrate that consent was given by the individual to the processing of his/her personal data.

This means not just recording the fact that someone ticked a box in a form, but having an audit trail that links the action to the specific privacy notice that they agreed to.

What the ICO’s draft guidance on the GDPR says, and NCVO’s response to it

The draft GDPR consent guidance (PDF, 253KB) explains the ICO’s recommended approach to complying with the GDPR, and the ICO will use the final version to judge whether organisations have valid consent and are processing data lawfully.

Here below are the main points we made in our response.

Insufficient clarity

Our main comment about the draft guidance is that it currently lacks the level of clarity required for regulatory guidance. In particular, the current draft does not provide a clear distinction or explanation between what the ICO will require as a matter of legal compliance, and what instead the ICO recommends as good practice. There is inconsistency throughout the document between what organisations ‘must do’, ‘should do’ and ‘need to do’. Further confusion is created by sections of the guidance referring to what organisations should ‘avoid’ doing, especially when this is in reference to actions that would almost certainly indicate non-compliance

There is also a potential confusion with regards to the use in the draft guidance of the expression ‘opt in’. As mentioned earlier, the GDPR requires ‘clear affirmative action’, and this does not need to be expressed as an opt-in box.

The guidance could cause confusion with regards to how the Fundraising Preference Service (FPS) operates. It describes the FPS as allowing individuals ‘to withdraw consent from all charities at once’, but the Fundraising Regulator’s model will be set up to allow individuals to stop contact from specifically named charities. Alignment between the ICO and the Fundraising Regulator on this issue is of the utmost importance, so it is a relief that the Fundraising Regulator is addressing this issue.

Need for detail

In our view, the guidance would benefit from further detail in relation to a number of issues:

• The mechanisms that organisations will need to put in place for individuals to withdraw their consent easily. It is possible that many organisations will not be confident that they have compliant mechanisms in place, so further guidance from the ICO would be helpful.
• When consent needs to be ‘refreshed’ and what is the duration of consent. At the moment the guidance makes a generic reference to context, but this could be better explained. For example, NCVO’s report refers to the type of organisation and the nature of the relationship as factors to be considered.
• How specifically do the purposes need to be defined for the purposes of obtaining consent for different processing operations. Although this will also be a matter of judgement for each organisation, it would be helpful to understand the level of specificity that the ICO will expect.

Consent as the primary basis

Following the Review of Fundraising Regulation, NCVO set up a working group that developed a set of good practice recommendations on how charities should treat donors and their data. Our recommended approach is outlined in the recent report ‘Charities’ Relationships with Donors: A Vision for a Better Future’ (PDF, 365KB).

Although our report’s recommendations are limited to the issue of fundraising and charities’ relationship with donors, NCVO believes that the same concept of consent should be adopted by charities in all their practices involving the collection, use and processing of personal data, and that consent should be prioritised as the basis.

We therefore have concerns about the sections of the guidance that allows alternative bases ‘if consent is difficult’.

Since the GDPR sets a high standard of consent, the guidance rightly recognises that consent will not always be easy to obtain. We agree that there will be circumstances in which there is a more appropriate basis for processing (consent is one of six lawful bases). But we think that  the test before forgoing consent and considering alternatives should be a stricter one.

The reasons why consent should be prioritised are not just regulatory. As rightly acknowledged by the guidance, the use of consent has additional benefits to being compliant with the GDPR, as it can improve the level of engagement of individuals with the organisation and encourage trust. This is a fundamental consideration for all sectors, and especially for charities, which depend on the public’s trust and generosity to carry out their charitable activities and have the resources to meet their beneficiaries’ needs.

What next?

The ICO is currently analysing the responses to the consultation, and plans to have a final version of the GDPR Consent guidance ready for publication in June.

The issue of consent is, however, only one of the many changes that will happen under the GDPR. There are likely to be many areas affected, and most importantly a culture change within organisations will most certainly be required. We will be helping our members understand what the changes mean for them and how they can meet standards of good practice. So please keep an eye on our training and events website, and on our blogs for further briefings.

And if you have any questions or concerns, do leave a comment below.