What is GDPR compliant consent? #GDPR

The key point here is that generally you will not be processing personal data on the basis of ‘consent’ in GDPR terms, but if you do, the data subject’s consent is required for processing of personal data; and the data subject’s explicit consent is required for processing special categories of personal data, such as data concerning health. 

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Consent gained by pre-ticked consent boxes is not valid consent under the GDPR so if your website or any of your forms use this then you will need to review your processes.

Explicit consent is intended to be more specific consent, and must be confirmed in words, rather than by any other positive action i.e. the person giving consent must signal agreement to an explicit statement in words such as ‘I consent to emails about your products and special offers’. 

Broadly if personal data is collected by consent a data subject should be able to withdraw his or her consent at any time. Also, it should be as easy to withdraw consent as it was to give it.

Whether consent was freely given will depend on whether the data subject could give or refuse consent to the processing of data and still continue with the rest of the service or contract. If the data subject can do so, it is more likely that consent was freely given. If not, the data is processed, for example, by virtue of the contract only and should only be processed to the extent required by the contract. 

If you collect personal data for marketing purposes, we advise you to read the guidance on consent by the Information Commissioner’s Office.

View our GDPR page for more information