• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

"I do" [tick] - how to get consent under the GDPR

On 2 March, the ICO released a consultation on the meaning of consent under the GDPR and, as part of this, published its draft guidance on consent (“Guidance”).  Organisations have an opportunity to respond to the consultation before 31 March 2017 and the ICO is aiming to publish the final guidance in May 2017.  Note that the Article 29 Working Party is also scheduled to publish guidance on consent later in 2017.  This article provides a summary of the main themes coming out of the draft guidance.

Consent under the GDPR

The Guidance says that “the GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms”.  Some elements of the definition of consent under the GDPR are the same as the definition under the current Directive – it must still be freely given, specific and an informed indication signifying agreement.  Under the GDPR the indication signifying agreement must also be “unambiguous” and involve a “clear affirmative action”.  Individuals have enhanced rights under the GDPR where an organisation is processing their personal data based on their consent (for example, a right to erasure/to be forgotten and a right to data portability).

Explicit consent

Organisations will need to obtain explicit consent for automated decision making, including profiling and if relying on consent as the lawful basis for processing sensitive personal data or for transferring personal data outside of the EEA.  The Guidance clarifies what is meant by “explicit consent” as this concept appears in the GDPR but isn’t defined. 

Explicit consent requires a very clear and specific oral or written statement of consent.  For example, having the wording “I consent to receiving emails about your products and special offers” with an unticked opt in box.  Explicit consent cannot be obtained using any other positive action such as a clear affirmative action not involving a clear statement.  For example, having the wording “By entering your email address you agree to us sending you emails about our products and services” and a box for individuals to enter their email address, as this is implied consent rather than explicit consent.  To obtain explicit consent, organisations will also need to provide individuals with sufficient information about what they are consenting to, such as, the nature of the sensitive personal data, the automated decision and its likely effect or the data to be transferred outside of the EEA and associated risks. 

Implied consent

The Guidance says that the idea of an “affirmative act” still allows organisations to use implied consent in some circumstances and that the “key issue is that there must be a positive action that makes it clear someone is agreeing to the use of their information for a specific and obvious purpose”.  This is positive for business who may still be able to use statement such as “By clicking submit, you consent to us contacting you by email with monthly offers”.  The Guidance, however, flags that implied consent “won’t always be appropriate” and “would not extend beyond what was obvious and necessary

Bundling consents

Organisations should avoid making consent a precondition of a service.  The guidance says “consent requests must be separate from other terms and conditions.  Consent must not be a precondition of signing up to a service unless necessary for that service”.  Consents may be bundled where the processing is genuinely necessary to provide the services, however, the ICO flags that a different lawful basis for processing may be more appropriate if this is the case.

What getting consent right looks like

  • Positive opt in – The individual is given a genuine choice and control over how their personal data is used and takes a deliberate action to opt in.  For example, signing a statement, giving oral confirmation or making a binary choice (and both choices have equal prominence)
  • Unbundled, specific and granular - Consent for processing personal data is separate from other terms and conditions and obtained separately for each distinct processing operation (where consent is the basis for processing).  If the processing is a condition of a service but not actually required for the service, the Guidance says that this consent will be presumed invalid as it is not freely given.
  • Prominent, clear and concise – Consent mechanisms must be easy to use and the language used must be clear, concise and easy to understand.
  • Third parties – Organisations will have to name the third parties who will rely on consent being given.  This is going to be a challenge for many organisations and the Guidance is clear that naming the types of organisation won’t be good enough to satisfy this requirement.
  • Withdrawing consent – You tell people how to withdraw consent and make it easy people to do so.
  • Clear records – You keep evidence of who provided consent, when the consent was provided, how the consent was provided and what the individual was told.
  • Review – You keep consent under review and refresh it if anything changes.  The ICO emphasises that consent is an ongoing and actively managed choice and not a one-off compliance tick box.

What is clearly banned

  • Pre-ticked boxes - Pre-ticked opt-in boxes and other forms of consent by default.  The Guidance makes it crystal clear that a failure to opt out is not consent and it also says that “You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way.”
  • Confusing language - Double negatives or inconsistent language that is likely to confuse individuals.
  • Disruptive mechanisms - Consent mechanisms that are unnecessarily disruptive to individuals. 
  • Imbalance in the relationship - Employers and public authorities will find it hard to rely on consent and the Guidance says it should be avoided.  This is because where there is a dependence on an organisation for services or a fear of adverse consequences, individuals may feel that they do not have a genuine choice and so consent is not freely given.
  • Vague or blanket consent – Consents worded so vaguely that they do not provide clear and specific information about what the individuals is consenting to.


  • If consent is difficult, it is an indication that you should be considering another lawful basis.  The ICO says that if you would still process personal data without consent, asking individuals for consent is “misleading and inherently unfair”.  Consent will still be needed for direct marketing (unless soft opt-in is available but note that the European laws on direct marketing are currently under review) and for using personal data for a new incompatible purpose.
  • You should review where you rely on consent and consider whether another lawful basis might be more appropriate.  For example, is the processing necessary to fulfil a contract with the individual or to comply with a legal obligation? Or do you have a genuine and legitimate reason, which includes a commercial benefit, that is not outweighed by harm to the individual’s rights and interests (note that you will still need to be fair, transparent (i.e. tell people) and accountable). 
  • Where consent is still needed, review the consent mechanisms that are currently used and identify gaps between current practices and the higher standards that are mandated under the GDPR. 
  • Develop an approach to refreshing consents that don’t meet the GDPR standards in advance of 25 May 2018.
  • Implement a process for regularly reviewing consents, quickly responding to withdrawals of consent and for updating/refreshing consents if things change.

Note that the GDPR contains specific provisions on children’s consent and consent for scientific research which this article does not go into. The Guidance is out for consultation until 31 March if you would like to comment or contact us if you would like our assistance.