Processing personal data—obtaining, recording and managing consent

The following Risk & Compliance practice note provides comprehensive and up to date legal information covering:

  • Processing personal data—obtaining, recording and managing consent
  • What is consent?
  • Tips for getting consent
  • Writing a consent request
  • Information requirements
  • Blanket consent
  • How to get consent
  • Standard consent
  • Explicit consent for sensitive personal data
  • Implied consent and consent by default
  • More...

Processing personal data—obtaining, recording and managing consent

This Practice Note is based on the UK GDPR and consent guidance published by the Information Commissioner’s Office (ICO).

What is consent?

Consent is ‘any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data’.

Consent must therefore be:

  1. freely given

  2. specific

  3. informed

  4. unambiguous

There are two levels of consent depending on the type of data you are processing:

  1. standard consent, which is required to rely on consent to process non-sensitive personal data

  2. explicit consent, which is required to rely on consent to process special category (sensitive) personal data. There is no definition of explicit consent but see Practice Note: Processing personal data—standard of consent—Explicit consent—special categories of data

For more guidance on the component parts of consent and how the definition will apply in practice, see Practice Note: Processing personal data—standard of consent.

Tips for getting consent

The ICO provides tips on how to get consent:

  1. make your consent request prominent, concise, separate from other terms and conditions, and easy to understand

  2. include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time

  3. ask people to actively opt in—don’t use pre-ticked

Popular documents