How to prepare for consent under GDPR

Understand the new requirements for consent under GDPR, and how to do ensure your best practices comply


The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. Central to the changes on data regulation is a strengthening of the rules around obtaining consent, intended to give individuals choice and control over their data on an ongoing basis.

The regulation places an increased emphasis on clarity from the beginning and dynamic consent that is consistently monitored and managed and puts the individual in control. It needs to be clear, transparent, and in plain language.

Image: iStock/Mutlu Kurtbas
Image: iStock/Mutlu Kurtbas

A positive opt-in is necessary, meaning an affirmative that unambiguously indicates the individual's wishes. It must describe the exact implications of what is being agreed to. Consent by default is not sufficient, and pre-ticked boxes have been explicitly banned.

Every specific operation requires granular consent, and any third parties who rely on the consent should also be clearly named. Consent mechanisms must be prominent, concise, and easy to understand for each individual chunk of data and collection method. If anything about the original consent changes, such as the purpose of processing the data, a further consent will be required for the new purpose.

Procedures should be in place make it easy to withdraw consent at any time, and individuals must be made aware of this from the outset. Their consent must be a genuine choice, and cannot be a condition of service.

Any complex technology used must be fully comprehensible in simple explanations. Artificial Intelligence, for example, will require a level of algorithmic transparency that can be understood by an average person.

Good practice

The form of consent now required could force some organisations to approach the same individuals again for further permission to use their data, but those that are already following good practice should be okay.

"If your content is of a high standard now for the personal data you're processing, then you can continue to rely on that consent under the GDPR," says Head of International Strategy and Intelligence at the UK Information Commissioner's Office (ICO) Steve Wood.

"GDPR is creating a greater focus on making sure that consent is specific and granular as well. GDPR is focusing on the record-keeping around consent and the audit trail you need to have.

"Consent has got to be easy to withdraw, and you're going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with."

Keep clear records of all consent taken. This should include details on the individuals concerned, what they consented to, when they provided the consent, and what information they were given. If they withdraw any consent, that should also be documented. All consent documentation should be kept separate from any other company documents.

The identity of the controller, the exact purposes of the data use, the processing activities involved and the right to withdraw consent should all be included to ensure the individual is fully informed.

Establish clear withdrawal mechanisms and regularly review procedures to ensure any changes to processes are responded to as required.

"It's crucial that it's sustainable," says Wood. "It has to be embedded in the organisation. There's got to be a range of people who actually can take responsibility for different parts of the process."

When consent is needed

Consent will likely be required if there is a need to give a real choice and control over data use, such as sending marketing material, installing mobile apps or tracking website cookies.

However, consent isn't always essential. If offering a choice is not possible, there may be other more appropriate procedures for data use in some circumstances.

Common examples of when consent would not be appropriate are if the data use is a precondition of using your service, it would be lawfully processed anyway or you are in a position of power over the individual consenting, it's legally required, a public task, or not doing it would endanger an individual’s life.

Other lawful foundations for the data use could be legitimate interests, the processing being necessary for the performance of a contract, the performance of a public task it serving a vital interest, or processing it being of vital interest.

The requirements may appear daunting at first, but they also offer an opportunity for organisations to build customer trust and strengthen their reputations. The value of data will continue to rise, and it will become ever more important for companies to manage it accurately.

Read next: GDPR explained: How to prepare for the approaching General Data Protection Regulation (GDPR)

"Recommended For You"

GDPR has arrived: Here's what will happen next How IBM is preparing for GDPR