Consent
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
Consent is one legal basis for processing data and if you use consent as your lawful basis you are offering individuals real choice and control, but you need to be aware that the data subject can object or withdraw consent at any time and if they do then you can no longer process their data. For example, where you have provided a service and need to keep a record of that service and accounting information, you need to retain that data whether they withdraw consent or not, therefore consent may not be the best legal basis for that processing.
If you are using consent as your lawful basis then it should be obvious and require a positive action to opt in. Pre-ticked boxes do not comply with GDPR and must NOT be used, and neither should opt out boxes either. Individuals must be clearly informed of what they are consenting to, if they choose to receive notifications about delivery, for example, that doesn’t mean they have agreed to receive newsletters or information about special offers. If you want to send marketing emails then you must have a separate box, clearly offering them the opportunity to decide if they want to receive them or not.
When requesting consent you should provide the name of your organisation, why you want the data, what you will do with it and where applicable any third party who will rely on the consent. You must also clearly state that they can withdraw consent at any time.
You should keep a record of who consented, when they consented, how they consented and what they consented to.
Make sure that it is easy for individuals to withdraw consent and make sure that you have systems in place to deal with opt-outs or unsubscribes. For example, if someone has opted out of a newsletter, this means that they don’t want it and they will not expect to receive one again, if they do then they may lodge a complaint with the ICO and would be perfectly within their rights to do so.
Where explicit consent is required, this should be “expressly confirmed in words”, the use of opt-in boxes or positive action are not suitable for gaining explicit consent.
Children have the same rights as adults with regards to their personal data, so if you choose consent as your lawful basis for processing data relating to children, the child can provide their own consent if they are 13 years of age or over. If they are not yet 13, you will need to get consent from a parent or guardian before any processing of their data takes place.