GDPR compliance—obtaining, recording and managing consent
GDPR compliance—obtaining, recording and managing consent

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—obtaining, recording and managing consent
  • What is consent?
  • Tips for getting consent
  • Writing a consent request
  • How to get consent
  • Recording consent
  • Ongoing management of consent

The General Data Protection Regulation (GDPR) significantly raises the bar on what constitutes consent and in relation to obtaining, managing and recording consent.

This Practice Note is based on the GDPR and consent guidance published by the Information Commissioner’s Office (ICO).

You should review your organisation’s existing consents and consent mechanisms to form a preliminary view on whether they meet the GDPR standard. If they do, there is no need to obtain fresh consent. However, this is unlikely bearing in mind the GDPR requires that:

  1. consent must be unambiguous and involve clear affirmative action

  2. consent should be separate from other terms and conditions

  3. consent should not generally be a precondition of signing up to a service

  4. pre-ticked opt-in boxes are banned

  5. you must keep clear records to demonstrate consent

  6. data subjects have the right to withdraw consent—you need to tell people about this right and offer them easy ways to withdraw consent at any time

  7. public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consent

If pre-GDPR consents do not meet the standards of the GDPR or are poorly documented, you need to:

  1. seek fresh GDPR-compliant consent

  2. identify and switch to a different lawful ground for processing—see Practice Notes: GDPR compliance—standard of consent—Do you need consent? and GDPR compliance—lawful processing,