No, according to the ICO’s Deputy Information Commissioner, you do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
A recent post in the Information Commissioner’s Office Blog by Steve Wood, Deputy Information Commissioner busts another GDPR myth.
“We have to get fresh consent from all our customers to comply with the GDPR You do not need to automatically refresh all existing consents in preparation for the new law. But the GDPR sets the bar high for consent, so it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.
Where you have an existing relationship with customers who have purchased goods or services from you it may not be necessary to obtain fresh consent.
It’s also important to remember that in some cases it may not be appropriate to seek fresh consent if you are unsure how you collected the contact information in the first place, and the consent would not have met the standard under our existing Data Protection Act. We’ve heard stories of email inboxes bursting with long emails from organisations asking people if they’re still happy to hear from them. So think about whether you actually need to refresh consent before you send that email and don’t forget to put in place mechanisms for people to withdraw their consent easily.
If consent is the appropriate lawful basis then that energy and effort must be spent establishing informed, active, unambiguous consent.”
Read the full blog here.
Updated guidance
The ICO has also recently published some updates; it has:
• published detailed guidance on Data Protection Impact Assessments (DPIAs) • expanded the pages on the right of access and the right to object • published detailed guidance on consent • expanded the page on the right to data portability
CIPP comment GDPR (General Data Protection Regulation) should be on the radar of all businesses – it comes in to force on 25 May 2018 and applies to all EU and foreign companies that offer services to individuals in the EU (regardless of what happens with the Brexit negotiations). Sanctions for non-reporting of a data breach under GDPR are steep – up to approximately £7m or 2% of global turnover, whichever is greater.
The CIPP’s ‘Payroll: need to know’ (a benefit for members only) contains all the latest information on GDPR – go to My CIPP on our website to access the journal.
The CIPP also run a half day training course which will help delegates understand and prepare for the changes, including how they affect payroll and HR functions, so that they can help their organisations become fully compliant by 25 May 2018.
Back to Contents
The Chartered Institute of Payroll Professionals
Payroll: need to know
cipp.org.uk
Page 61 of 598
Made with FlippingBook - Online magazine maker