The UK Information Commissioner's Office has published draft guidance for data controllers on what it's actually going to mean for users to consent to their data being collected and shared under the European Union's looming General Data Protection Regulation (GDPR).
You have already heard about that new regime, which will become law in the UK on the 25 May, 2018, regardless of Brexit.
The GDPR will introduce a much higher standard for consent data controllers need in order to legally handle others' data. Organisations are going to need "clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent" or they will be found in breach of the regulation.
As per Article 83 of the GDPR, in the most extreme cases of breaches of the regulation, organisations can be fined €20m or up to 4 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
As expert cloud and tech lawyer Frank Jennings told The Register in his excellent breakdown of the regulation:
Consent is the quick way to comply with data protection laws. GDPR tightens this regime. To rely upon consent, it must be given by a "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement". Consent must be "explicit" in relation to sensitive data. Consent must cover all the proposed activities and will not be regarded as freely given if there was no genuine or free choice. Also, individuals can withdraw their consent at any time. Companies should immediately review their consent statements, tick boxes, privacy policies and terms and conditions.
With a 39-page document published today [PDF], the ICO has opened a consultation on its draft guidance on consent under the new regulation. This guidance is ostensibly designed to help organisations dodge those gargantuan fines.
The consultation, which is available here [PDF], ends 31 March. It involves a short questionnaire and is open to everyone. ®