GDPR compliance—standard of consent
GDPR compliance—standard of consent

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—standard of consent
  • What is consent?
  • Do you need consent?
  • When is consent not appropriate?
  • Standard consent—personal data other than special categories of data
  • Explicit consent—special categories of personal data
  • How long does consent last?
  • Withdrawal of consent
  • Switching from consent to another lawful ground
  • Record-keeping
  • more

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

Historically, many commercial organisations relied on consent as the main lawful ground for processing personal data. This is because the pre-General Data Protection Regulation (GDPR) regime did not impose particularly onerous requirements around obtaining and recording consent.

The GDPR significantly raises the bar on what constitutes consent (the subject of this Practice Note) and in relation to obtaining, managing and recording consent (see Practice Note: GDPR and consent—obtaining, recording and managing consent).

This Practice Note is based on the final text of the GDPR and consent guidance published by the Information Commissioner’s Office (ICO), which provides insight into how the ICO interprets the GDPR on consent and the ICO’s general recommended approach to compliance and good practice.

Consent is unlikely to be the default ground for processing personal data under the GDPR and organisations will need to consider whether any other