Practical tips for consent under the GDPR

September 21, 2018 by

Many organisations are reviewing their data protection procedures and documentation processes to ensure compliance with the GDPR. While it is prudent to do so, it is equally important to remember that consent is not the only way to prove the right to process personal data.

In advising clients, we have noticed that there is a tendency to focus entirely on consent as the legal basis for processing of personal data. This may land a business in a lot of trouble. Processing personal data should always be based on the appropriate legal basis. Consent is only one of six legal reasons why personal data can be processed.

Consent under GDPR

Consent should not be the first line of defence. Relying on consent when there are in fact other justifications for processing data may be just as damaging as not having consent at all. It may result in an inability to process personal data altogether; especially if the data subject retracts their consent. consent GDPR

Consent under the GDPR requires that people have a genuine choice and ongoing control over how their data is being used. Consent will be considered misleading and inappropriate if the data processing would take place even if the data subject withdraws their consent. To avoid this, entities should rely on another legal basis for their processing activities.

Therefore, consent should only be relied on where no other legal basis applies.

Lawful basis for processing personal data

The GDPR requires all processing of personal data to be fair, lawful, and carried out in a transparent manner. Processing of personal data is lawful if it is based on one of the six legal justifications for processing. Apart from consent, processing is lawful if it is necessary:

  • for the performance of a contract with the data subject;
  • for the performance of a legal obligation that the data controller owes;
  • to protect the vital interest of a natural person;
  • to allow the controller to perform a task that is in the public interest or to exercise official authority vested in the controller; or
  • for the purposes of the legitimate interests pursued by the controller or by a third party.

Consent is not inherently better or more important than these alternatives. Data controllers must specify in their privacy policies on what the legal basis they process the specific set of personal data. The appropriate legal basis for processing must be established before the processing takes place. Businesses will have to establish the correct lawful bases, document and record this, and inform the data subject accordingly (e.g. through privacy policy).

Legal bases are not interchangeable. Data controllers cannot randomly change one legal basis for another without making the data subject first aware of the respective change.

Record keeping requirements

Both data controllers and data processors are under a duty to demonstrate and document the legal reason based on which they process the specific personal data. The best way of doing this is to keep a data inventory or data log of all processing activities.

More specifically, data controllers and data processors are under a duty to:

  • maintain records of all processing activities; and
  • identify and document under what legal basis they are processing the specific data set. 

Consent as last resort; not a first line of defence

If consent is your only option, then you must ensure that you meet the high standards for consent and keep a record of both processing and the consent itself.

If a data controller is relying on the data subject’s consent for the processing in question, then such consent must meet certain standards.

Consent under the GDPR must be ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.

In practice, this means that consent must be:

  • freely given;
  • unambiguous and specific;
  • not obtained under duress;
  • not be bundled together with other services (Bundling of consent is highly undesirable with a strong presumption that consent was not freely given);
  • revocable (and withdrawing consent must be as easy as giving consent) without detriment.

Consent requests in privacy policies must be easy to understand, concise and be separate from other terms and conditions. People must actively opt-in. It is best practice to give separate (‘granular’) options to consent for different purposes and for different types of processing.

What does not amount to consent?

  • Silence
  • Default consents (e.g. pre-ticked boxes)
  • Blanket consents that cover any processing under the sun
  • Consent that is bundled up with the provision of services
  • Consent that forms part of the general contract or general terms and conditions

We advise businesses to rely on consent only if there are no other appropriate reasons for processing the personal data in question.

If you need help with GDPR compliance or have a questions, please feel free to contact us either via email: or call us on: 04 324 85 612