GDPR compliance—standard of consent
GDPR compliance—standard of consent

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • GDPR compliance—standard of consent
  • What is consent?
  • Do you need consent?
  • When is consent not appropriate?
  • Standard consent—personal data other than special categories of data
  • Explicit consent—special categories of data
  • How long does consent last?
  • Withdrawal of consent
  • Switching from consent to another lawful ground
  • Record-keeping
  • more

Historically, many commercial organisations relied on consent as the main lawful ground for processing personal data. This is because the pre-General Data Protection Regulation (GDPR) regime did not impose particularly onerous requirements around obtaining and recording consent.

The GDPR significantly raises the bar on what constitutes consent (the subject of this Practice Note) and in relation to obtaining, managing and recording consent (see Practice Note: GDPR and consent—obtaining, recording and managing consent).

This Practice Note is based on the final text of the GDPR and consent guidance published by the Information Commissioner’s Office (ICO), which provides insight into how the ICO interprets the GDPR on consent and the ICO’s general recommended approach to compliance and good practice.

Consent is unlikely to be the default ground for processing personal data under the GDPR and organisations will need to consider whether any other lawful grounds are more appropriate from a legal and operational perspective—see below: Do you need consent? and Practice Note: GDPR compliance—lawful processing.

What is consent?

The table below compares the definition of consent under the pre-GDPR regime against the GDPR definition

Current definition of consent GDPR definition of consent
Any freely given specific and informed indication of the data subject's wishes