Step 8. Consent Needs to be Explicit and Affirmative

8. Consent Needs to be Explicit and Affirmative – GDPR consultant 12 step guide to GDPR compliance

The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms. Consent needs to be explicit and affirmative and you must keep clear records to demonstrate consent. The requirements for GDPR consent are listed below:

  • An indication of consent must be unambiguous and involve a clear affirmative action (an opt-in).

  • The GDPR specifically bans pre-ticked opt-in boxes.

  • The GDPR requires individual (‘granular’) consent options for distinct processing operations.

  • Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

  • Consent needs to be obtained and verified from parents or guardians for U16s.

  • The GDPR gives a specific right for people to withdraw consent. You must inform them of this right and offer them easy ways to do so at any time.

  • Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.

You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

Why is consent important?

Consent is one of the lawful bases for processing personal data that can also legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data. Genuine consent should put individuals in control, build customer trust and engagement, and enhance your reputation. Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines.

When is consent appropriate?

Consent is one of six lawful bases for processing data. Consent is not inherently better or more important than the alternatives, so if consent is difficult or a precondition of a service, you should consider using an alternative lawful basis.

Consent is appropriate when you can offer people control and a real choice over how you use their data. If you cannot offer a genuine choice, consent is not appropriate. For example, if you would process personal data with or without consent, asking for consent is misleading and inherently unfair. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.

What is valid consent?

Consent must be given freely, meaning giving people genuine ongoing choice and control over how you use their data, and should be obvious, requiring a positive action to opt-in. Explicit consent must be expressly confirmed in words, rather than by any other positive action. There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

How should you obtain, record and manage consent?

Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

  • the name of your organisation

  • the name of any third-party controllers who will rely on the consent

  • why you want the data

  • what you will do with it

  • that individuals can withdraw consent at any time

You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing. You must also make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.

Always keep records to evidence consent, including who consented, when, how, and what they were told. Keep consents under review and refresh them if anything changes. Building regular consent reviews into your business processes will help with GDPR compliance.

STEP 9. REVIEW BREACH NOTIFICATION AND INCIDENT RESPONSE PROCEDURES»