Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

GDPR Consent Basics

by Adam Brogden
in Blog

21-Nov-2019 11:49

If you rely on consent as your lawful basis you need to make sure you actually have consent to collect, store, or process this data. Consent is probably the most difficult lawful basis to establish and using consent will also affect individuals’ rights. People will generally have stronger rights when processing is based on consent. For example, the right to erasure (also known as ‘the right to be forgotten’) and the right to data portability.

GDPR is pretty clear here and there is a lot of information on the ICO website. For example:


The GDPR also brings in new accountability and transparency requirements. In particular, you must now inform people upfront about your lawful basis for processing their personal data. You need to tell people clearly what you do with their consent, and whether you do anything else on a different lawful basis. If you know you will need to retain the data after consent is withdrawn for a particular purpose under another lawful basis, you need to tell them this from the start.

You need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows:

  • Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.

  • Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence).

  • Granular: give distinct options to consent separately to different types of processing wherever appropriate

  • Named: name your organisation and any other third party controllers who will be relying on the consent. If you are relying on consent obtained by someone else, ensure that you were specifically named in the consent request – categories of third-party organisations will not be enough to give valid consent under the GDPR.

  • Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.

  • Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you need to have simple and effective withdrawal mechanisms in place.

  • No imbalance in the relationship: consent will not be freely given if there is an imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible.

The following checklists might also help:


Asking for consent

  • We have checked that consent is the most appropriate lawful basis for processing.

  • We have made the request for consent prominent and separate from our terms and conditions.

  • We ask people to positively opt in.

  • We don’t use pre-ticked boxes or any other type of default consent.

  • We use clear, plain language that is easy to understand.

  • We specify why we want the data and what we’re going to do with it.

  • We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.

  • We name our organisation and any third party controllers who will be relying on the consent.

  • We tell individuals they can withdraw their consent.

  • We ensure that individuals can refuse to consent without detriment.

  • We avoid making consent a precondition of a service.

  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.

Recording consent

  • We keep a record of when and how we got consent from the individual

  • We keep a record of exactly what they were told at the time.

Managing consent

  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.

  • We have processes in place to refresh consent at appropriate intervals, including any parental consents.

  • We consider using privacy dashboards or other preference-management tools as a matter of good practice.

  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

  • We act on withdrawals of consent as soon as we can.

  • We don’t penalise individuals who wish to withdraw consent.


So, if you decide to use consent as your lawful basis you need to be very careful. Call us anytime to discuss - tel: 01772217772

Good luck all.