GDPR Blog Week 2: Consent

The law is changing on 25 May 2018 when the GDPR’s become enforceable by the Information Commissioners Office.

You should know that, in order to process data, you need to identify a lawful basis for doing so. If you can’t identify a lawful basis come May, then you shouldn’t be processing data.

Consent is only one example of a lawful basis for processing data although there are others, such as “legitimate interest” which I will come to shortly. The GDPR is raising the bar to a higher standard for consent. Therefore, if you’re relying on consent as a lawful basis for processing data, you need to review how you seek, record and manage that consent.

Put simply, under the GDPR, consent must be:

  1. Freely given;
  2. Specific;
  3. Informed; and
  4. Unambiguous.

This means that any communications seeking consent must state the purpose the personal data will be used for, such as future marketing by your organisation or sharing the data with any third parties.  If you intend to you use more than one mode of communication such as post, email and telephone then each and every method should be stated on the consent form. It must also be separate from any other terms and conditions that you have – and you need to give individuals the opportunity to easily withdraw their consent. This is often done with an “unsubscribe” button but alternative means may be used so long as it doesn’t create an arduous task for the data subject.

There must also be a positive opt-in. Consent can’t be inferred from silence, pre-ticked boxes or an individual’s inactivity.

To be clear, you don’t always need consent to process data. For example, you can rely on there being a “legitimate interest” to do so. This would apply to an insurance company processing an individual’s claims information, or a bank processing data for fraud protection purposes.

If you rely on consent, you’ll need to review your current policies and procedures to ensure that they are robust enough to withstand scrutiny under the GDPR’s. If you rely on an alternative lawful basis, such as a “legitimate interest”, you’ll need to ensure that you have a detailed paper trail in place to show accountability and transparency. Either way, compliance is best demonstrated by a Privacy Impact Assessment (PIA) which is basically an internal audit detailing the technical and organisational security measures in place and have a Privacy Notice accessible to all data subjects advising what you intend to do with their personal data.

There are separate rules governing the issue of Direct Marketing and the necessary consent required to do this, so I’ll address this in a separate blog.

If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team.

We will be releasing our blogs on a weekly basis in the run up to May to help you to get GDPR-ready.  Next week, our topic will be Subject Access Requests and the extended rights of data subjects under the new Regulations.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

Contact Us

    You can always change your mind by unsubscribing here.

    We will only use your information to handle your enquiry and won’t share it with any third parties without your permission.