Rumours are circulating that the final Consent Guidance from the Information Commissioner’s Office may be further delayed, it had been anticipated early in the New Year. This presents an issue for many organisations who want to push forward with preparations for the GDPR armed with as much information as possible to ensure they are interpreting the Regulation correctly.
Back in March the ICO published draft Guidance on Consent and in the Summer Information Commissioner, Elizabeth Denham, told organisations they should work with this draft and the final guidance would not ‘substantially’ change. Currently (at the time of writing this), on the ICO’s website under “Guidance – what to expect and when” it says,
“We also intend to publish detailed guidance on consent (taking account of the comments we received on the draft we issued previously) and on the other lawful bases for processing, including legitimate interests. We expect this will be early in 2018, as we think it is reasonable to wait until after the Article 29 Working Party guidelines on consent have been adopted.”
It would be reasonable to assume that this suggests the detailed final guidance, could potentially change based on the feedback received or perhaps be enhanced to provide more specific detail. The concern for many is that any tweak or further clarification could prove quite vital in decisions that are being made.
The Article 29 Data Protection Working Party (WP29) has now finally published their draft guidelines on Consent (these can be found here). But, these are a draft and are open to consultation until 23rd January 2018. We can then presume it will take a period of time for any feedback to be assessed, prior to final adopted guidelines being published.
Can we now expect the ICO to wait for these guidelines to be formally adopted before issuing their detailed and final Consent Guidance? That could mean a delay until April or even May, perilously close to GDPR “D-Day” on the 25th.
14 December 2017
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.