Processing personal data—obtaining, recording and managing consent
Processing personal data—obtaining, recording and managing consent

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Processing personal data—obtaining, recording and managing consent
  • What is consent?
  • Tips for getting consent
  • Writing a consent request
  • How to get consent
  • Recording consent
  • Ongoing management of consent
  • Cookies and website scrolling
  • Children

Brexit: As of exit day (31 January 2020), the UK is no longer an EU Member State, but it has entered an implementation period during which it continues to be treated by the EU as a Member State for many purposes. The UK must continue to adhere to its obligations under EU law, including in relation to data protection, and the ICO has confirmed the GDPR will continue to apply during the implementation period. For more information, see: Practice Note: Brexit—implications for data protection.

This Practice Note is based on the GDPR and consent guidance published by the Information Commissioner’s Office (ICO).

What is consent?

Consent is ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data’.

Consent must therefore be:

  1. freely given

  2. specific

  3. informed

  4. unambiguous

There are two levels of consent depending on the type of data you are processing:

  1. standard consent, which is required to rely on consent to process non-sensitive personal data

  2. explicit consent, which is required to rely on consent to process special category personal data. There is no definition of explicit consent but see Practice Note: Processing personal data—standard of consent—Explicit consent—special categories of data

For more guidance on the component parts of consent