The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms. Consent needs to be explicit and affirmative and you must keep clear records to demonstrate consent. The requirements for GDPR consent are listed below:
An indication of consent must be unambiguous and involve a clear affirmative action (an opt-in).
The GDPR specifically bans pre-ticked opt-in boxes.
The GDPR requires individual (‘granular’) consent options for distinct processing operations.
Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.
Consent needs to be obtained and verified from parents or guardians for U16s.
The GDPR gives a specific right for people to withdraw consent. You must inform them of this right and offer them easy ways to do so at any time.
Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.
You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
How should you obtain, record and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
the name of your organisation
the name of any third-party controllers who will rely on the consent
why you want the data
what you will do with it
that individuals can withdraw consent at any time
You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing. You must also make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.
Always keep records to evidence consent, including who consented, when, how, and what they were told. Keep consents under review and refresh them if anything changes. Building regular consent reviews into your business processes will help with GDPR compliance.