24 Aug ICO – Don’t wait for legitimate interest guidance before GDPR
17 August 2017 by Rebecca Cooney for Third Sector Magazine
There is no need for organisations to wait for guidance before deciding whether to rely on legitimate interest to process donor data under the new rules, the Information Commissioner has said.
In a blog published yesterday afternoon, Elizabeth Denham, the Information Commissioner, acknowledged that opt-in consent was not the only condition under which organisations can process data under the General Data Protection Regulation, the updated data-protection rules due to come into force in May.
The Information Commissioner’s Office published draft guidance on consent in April, which attracted criticism from sector bodies which argued it should make clear how organisations such as charities can process data without consent if they can show they have a legitimate interest in doing so.
In the blog, Denham said the finished consent guidance was due to be published in December, but she said it would not include information on legitimate interest because that was a separate issue that would be covered in separate guidance next year.
“But there’s no need to wait for that guidance,” said Denham. “You know your organisation best and should be able to identify your purposes for processing personal information. Whatever you decide, you’ll need to document your decisions to be able to demonstrate to the ICO which lawful basis you use.”
She said she wanted to clear up any confusion surrounding whether charities and other organisations needed consent to process data.
“The rules around consent only apply if you are relying on consent as your basis to process personal data,” she said. “So let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.”
She also said organisations did not need to wait for the final version of the guidance to be published.
“I know many people are waiting for us to publish our final guidance on consent,” she said. “Businesses want certainty and assurance of harmonised rules. Waiting until Europe-wide consent guidelines have been agreed before we publish our final guidance is key to ensuring consistency. The current timetable is December.
She said that the ICO’s draft guidance on consent was a good place to start at present. “It’s unlikely that the guidance will change significantly in its final form,” Denham said. “So you already have many of the tools you need to prepare.”