Consent is not the ‘silver bullet’ for GDPR compliance

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Elizabeth Denham, Information Commissioner.

Last week I launched a series of blogs to bust some of the myths that have developed around the General Data Protection Regulation (GDPR).

Before the new law comes into effect on 25 May 2018, I feel bound to sort the fact from the fiction.

Because there is a lot of misinformation out there and for many who are new to data protection and the GDPR it’s creating uncertainty. Organisations that want to get it right – and we know that’s the majority – can sometimes feel like rabbits in the headlights, not knowing which way to leap.

Last week I set the record straight on our new fining powers.

My second blog tackles an equally high-profile issue – consent.

Myth #2

You must have consent if you want to process personal data.


The GDPR is raising the bar to a higher standard for consent.

Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent.  The requirement for clear and and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.

This has understandably created a focus on consent.

But I’ve heard some alternative facts. How “data can only be processed if an organisation has explicit consent to do so”.

The rules around consent only apply if you are relying on consent as your basis to process personal data.

So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.

Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR.

Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.

For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.

Local authorities processing council tax information, banks sharing data for fraud protection purposes, insurance companies processing claims information.

Each one of these examples uses a different lawful basis for processing personal information that isn’t consent.

The new law provides five other ways of processing data that may be more appropriate than consent.

‘Legitimate interests’ is one of them and we recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working to publish guidance on it next year.

But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.

Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use. Data protection impact assessments will be able to help you with the task of understanding how you can meet conditions for processing and make your business more accountable under the GDPR.

But if you are relying on consent, I want to explode another myth that organisations can only start their preparations once the ICO has published guidance.

Myth #3

I can’t start planning for new consent rules until the ICO’s formal guidance is published.


I know many people are waiting for us to publish our final guidance on consent. Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.

But the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form. So you already have many of the tools you need to prepare.

Finally, when we do publish our formal guidance on consent, it will not include guidance on legitimate interests or any other lawful bases for processing. It’s guidance on consent and will only cover consent.

Our series will continue next week.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , , , . Bookmark the permalink.

113 Responses to Consent is not the ‘silver bullet’ for GDPR compliance

  1. Pingback: GDPR - are you prepared? - Moove Agency

  2. Pingback: How to Be GDPR Compliant: A Guide for SaaS and Beyond | Process Street

  3. Steven Mills says:

    The ICO are currently failing to enforce the Data Protection Act against Organisations processing data unlwfully, curently taking over 8 weeks to respond to public complaints and responding with feable responses. What chance have they got enforcing the GDPR! I currently have 0% trust in them at the moment.

  4. Pingback: How to show GDPR compliance | Padua Communications

  5. Pingback: GDPR In 4 Minutes - A LeadByte Overview

  6. For processing to be lawful under the GDPR, you need to identify a lawful basis before you start.

  7. Roger Cansdale says:

    I belong to a Canal Society. It is a registered charity and a limited company. How are we required to demonstrate that one of our members has given their consent to our keeping their contact details? Do we neeed a signed piece of paper for each person or will an e-mail do? If the latter, how must we store it? Would a spreadsheet with a note of the date of a telephone conversation be sufficient?

    • Hi Roger,

      What you need to consider is if someone complains to the ICO then you will need to provide evidence that consent was given. The ICO does not appear willing to give guidance on this sort of thing, so you need to make your own judgement.

  8. Roger Cansdale says:

    We keep a list of our members and their contact details to enable us to send out a quarterly newsletter, some hardcopy by post and others by email, and to make any other contacts that may be needed from time to time, such as calling a General Meeting.
    Would that all count as Legitimate Interest? If so, how can we obtain official confirmation that we need take no further action?

  9. Pingback: The GDPR, algorithms and people analytics | phoebevmoore

  10. Simona says:

    Great article, thank you for it. The definition and breath of sensitive/personal information is quite challenging. At Pingar we can identify N number of sensitive information types that are recorded in text and forgotten. However, enabling workflows that is based on sensitive information types remains a challenge for many organisations. Do you have an idea how to tackle it?

  11. Tim Morgan says:

    >GDPR Recital (47) …. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

    So, does this mean that consent is not required for email marketing unlike PECR? I’m particularly interested in b2b emails marketing, where prospects and customers have registered interest online (which seems like implicit / soft consent).

  12. Phillip Banting says:

    What are the consent rules or standards for B2B? Are they the same as B2C?

  13. Pingback: What is GDPR? | Learn about the General Data Protection Regulation..

  14. Pingback: Is 'consent' the best approach for insurers? |

  15. Joe Green says:

    Some here may be interested in a new way to build a consent mechanism into the application itself, giving the data owner control over who sees and who processes their data. This is a new technology that could be built into any application, extending complete privacy and control of the data to the customer. More about “Customer Controlled Data”:

  16. Pingback: GDPR: What’s Happening? | Blog Now

  17. Pingback: 10 of the most important cyber security articles of 2017 | CYBSAFE | Resource Centre

Leave a Reply