ICO publishes expanded guidance on GDPR

The ICO has replaced its “Overview of the GDPR” with a “Guide to the GDPR”.

The guide includes expanded sections on consent, contracts and liabilities, following consultations on these areas, which closed late last year.

The GDPR is introducing a higher standard for consent than is currently required under the Data Protection Act 1998. However, it is not the case that just by obtaining consent from a data subject their data will always be processed lawfully. The updated guide emphasises that consent is only one lawful basis for processing; there are alternatives and consent may not be the most appropriate option for the trustees of pension schemes if they cannot offer members to freely choose what they do with their data.

The ICO have accepted that there are still a number of areas in relation to consent that need clarification, such as in regards to the naming of third party controllers who intend to rely on consent as their lawful basis to process the personal data.

The Article 29 Working Party published its guidelines on consent in December 2017 with a window for public comment open until 23 January 2018. Once this has been finalised, the ICO are intending to publish the final version of their consent guidance, which should offer some clarification. We will provide further updates on this in due course.