The Importance of Adequate Consent under the GDPR: HMRC Forced to Delete Five Million Records

The UK privacy regulator, the Information Commissioner’s Office (“ICO“) has recently found Her Majesty’s Revenue and Customs (“HMRC“) liable for a “significant” breach of the GDPR relating to the collection of consents with respect to biometric data. The enforcement action is a timely reminder that a higher standard of (explicit) consent is required with respect to so-called special category data (including biometric data). However, the enforcement action is also interesting because the ICO chose not to fine HMRC but to instead require certain action to be taken (namely the deletion of records), demonstrating that GDPR enforcement is not necessarily all about big monetary penalties.

Continue reading