What is Data Protection Consent?
Whether you have new obligations under the UK GDPR or you are reviewing your existing data protection regime, it is essential that you understand how consent works and what your responsibilities are. The UK GDPR tailored by the Data Protection Act 2018 sets a very high standard for consent. This UK GDPR Consent Guidance will help you to understand your responsibilities.
The UK GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. The most notable change from previous data protection laws in the UK is that consent must be unambiguous and involve a clear affirmative action.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Consent & Other Legal Basis
Consent is not always the most appropriate legal basis for processing personal data, so it is essential that the controller accurately assesses each lawful basis first. In many instances, there is a more suitable basis than consent that can be used for processing. Those processing personal data should always review each processing activity and only use consent as an option where the individual has a choice.
When assessing if consent is the most appropriate legal basis for processing, you should ensure that none of the below are a factor: –
- Where you ask for consent but would still process the data even if it were not given (or withdrawn).
- Where you ask for consent to process personal data as a precondition of a service you are offering, it is not given as an option and consent is therefore not appropriate.
- Where there is an imbalance in the relationship (i.e. with employees)
GDPR Conditions for Consent
Where no other legal basis applies and consent is being used to process personal data, it is important for a business to review their consent mechanisms. This can be done using a Consent Checklist. Reviewing mechanisms can include ensuring that (but not limited to): –
- Requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms.
- Consent is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes.
- Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data.
- Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand.
- Pre-ticked, opt-in boxes are never used.
- Where consent is given as part of other matters (i.e. terms & conditions, agreements, contracts etc), the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service).
- Consent is always verifiable with controls in place to demonstrate consent in every case.
- Withdrawing consent is simple, clear and straightforward and can be done via multiple options.
- Consent withdrawal requests are processed immediately and without detriment.
- Where services are offered to children, age-verification and parental-consent measures are in place to obtain consent.
- For special category data, the consent obtained is explicit, with the processing purpose(s) always being specified.
- Detailed records of consent are retained and can evidence at a minimum: –
- that the individual has consented to the use and processing of their personal data
- that the individual has been advised of the company name and any third party using the data
- what the individual was told at the time of consent
- how and when consent was obtained
The ICO also provide extensive guidance on GDPR Consent and what the obligations and expectations are.
GDPR Toolkit & Data Protection Policy Templates
We provide market leading UK GDPR Bundles and Toolkits with customisable data protection templates to suit every industry and business type. With thousands of organisations already using our GDPR polcy templates, you can be assured of high quality, professional documents. Our consent checklist and consent examples are included in each of the Data Protection Template Toolkits, along with all mandatory GDPR template policies and procedures.