GDPR compliance—obtaining, recording and managing consent
GDPR compliance—obtaining, recording and managing consent

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—obtaining, recording and managing consent
  • What is consent?
  • Tips for getting consent
  • Writing a consent request
  • How to get consent
  • Recording consent
  • Ongoing management of consent

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation (GDPR) significantly raises the bar on what constitutes consent and in relation to obtaining, managing and recording consent.

This Practice Note is based on the GDPR and consent guidance published by the Information Commissioner’s Office (ICO).

You should review your organisation’s existing consents and consent mechanisms to form a preliminary view on whether they meet the GDPR standard. If they do, there is no need to obtain fresh consent. However, this is unlikely bearing in mind the GDPR requires that:

  1. consent must be unambiguous and involve clear affirmative action

  2. consent should be separate from other terms and conditions

  3. consent should not generally be a precondition of signing up to a service

  4. pre-ticked opt-in boxes are banned

  5. you must keep clear records to demonstrate consent

  6. data subjects have the right to withdraw consent—you need