Skip to main content

New ICO Guidance To Help You Market Under The GDPR

blog compliance consent GDPR ICO new legislation

This past December, the Information Commissioner’s Office (ICO) updated its existing General Data Protection Regulation (GDPR) consent guidance to include the new Article 29 Working Party (Art. 29 WP) clarifications. The Art. 29 WP is an advisory body made up of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission. The Art. 29 WP published its consent guidance to clarify GDPR consent and make it easier to comply.  

Even though the GDPR will come into force on 25 May, the ICO’s consent guidance may yet again change as Parliament works on enshrining the GDPR into UK law in the form of the Data Protection Bill. What’s more, while the guidance introduced by Art. 29 WP is not radically different, your organisation must stay abreast of any new adjustments to ensure compliance. If your organisation collects any personal data, your consent must meet the following GDPR standards:


  • Unbundled—Consent requests must be separate from other terms and conditions, and should not be a precondition of signing up for a service.
  • Active opt-in—You cannot use pre-ticked opt-in boxes.
  • Granular—Provide options to individuals to consent to different types of processing.
  • Named—Provide the name of your organisation and any third parties that will be relying on their consent.
  • Documented—Keep records that demonstrate what the individual has consented to, what they were told, and when and how they consented.
  • Easy to withdraw—Inform individuals that they have the right to withdraw their consent at any time and explain how to do that.
  • No imbalance in the relationship—Consent will not be freely given if there is an imbalance in the relationship between the individual and your organisation.

GDPR Compliance Timeline
  • Phase 1 (2016-2017):
Review IT systems and procedures, and check that your legal grounds for processing are legitimate.
  • Phase 2 (January to May 2017): 
Identify your riskiest data processing activities and strengthen your protection.
  • Phase 3 (June 2017 to January 2018): 
Review and update privacy policies and notices.
  • Phase 4 (January to May 2018)
Provide GDPR staff training.
  • Phase 5 (Ongoing): 
Monitor compliance efforts, reassess and retrain.






The content of this Profile is of general interest and is not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. © 2018 Zywave, Inc. All rights reserved.