Many organisations are struggling with the European definition of ‘consent’
Many organisations are struggling with the European definition of ‘consent’

Issues around consent are increasingly troubling the minds of data protection professionals according to a new blogpost from the Information Commissioner's Office (ICO).

Jo Pedder, interim head of policy and engagement at the ICO, writing in response to a recent public consultation on guidance on EU regulation, said, “the issue of consent surrounding the use of data has proved to be increasingly high-profile recently – and that has been reflected in the large number of responses to our draft GDPR (General Data Protection Regulation) Consent guidance.”

The consultation collected 300 responses from a variety of sectors and recently closed. The ICO will now review its findings, taking into account “any guidelines on consent that may be issued by relevant European authorities.”

“Consent has become so much harder under GDPR”, Guy Cohen, strategy and policy lead at Privitar told SC Media UK. The GDPR makes acquiring the consent of a data owner a far more arduous process for firms. Under its regulations, organisations will have to make clear to those providing them with personal data what that data will be used for, how it will be used before asking them how.

“The problem with consent is that it has to be informed”, says Cohen. “It's very hard for an individual to understand what they are consenting to and if they don't understand, if there hasn't been clear and unambiguous consent, that consent is invalid and that produces huge difficulties further down the line.”

The push has been towards making organisations consider what is appropriate, adds Cohen. Under legitimate interest, a basis for the lawful processing of data, it is the responsibility of the data handling organisation to make sure its interest does not outweigh the privacy risks to the individual.

Organisations will have to think about how that individual's privacy could be harmed and evidence will have to be produced to show that process. All of this goes towards “putting the responsibility that the data is being use ethically on to the controller rather than the individual.”

The ICO's disclosure has not arrived in a vacuum. The post comes shortly after a number of charities were fined by the ICO for data sharing practices that were judged to be illegal, though conducted for years while the charities wrongly thought otherwise.

A short while later, the charity industry body known as the Institute of Fundraising (IoF), called on the ICO to release clear guidance on consent within the GDPR. Daniel Fluskey, head of policy and research at the IoF, said in a statement, "the standard for consent is raised under GDPR, and we think that the guidance could be clearer and more helpful for charities in certain areas.”

It's important that UK firms are made to understand what it means by May next year, when the GDPR comes into force. The landmark piece of regulation brings in a variety of data protection regulations for firms such as the mandatory appointment of data protection officers, pseudonymisation of personal data held by organisations and perhaps most notably, breach notification within 72 hours of such an event. Offenders may find themselves with a fine of up to four percent of worldwide turnover, or €20 million (£17 million), whichever is higher.

The ICO is trying to have new guidance in place by June, but have added the caveat that this date may be affected by developments in Europe.