GDPR means that consent must be freely given, you must be able to show a positive opt in and should be unambiguous.

As an organisation you should review how you obtain and record consent and whether you need to make any changes under GDPR. At all times the customer must be aware what they are consenting to i.e. how their personal data is going to be processed and the reasons it is being done. They must be left in doubt as to what they are consenting to.

For consent to be freely given there must be a positive indication, consent cannot be inferred by ‘silence’, just because they didn’t say NO, it doesn’t mean YES!

Are all of your consented records GDPR compliant? Now is the time to check, if found lacking, now is the time to amend!

Consent needs to be verifiable – you must inform individuals of their right to withdraw consent at any time, as a data controller you much be able to prove that consent to a specific processing activity has been given freely and in a positive manner.

As a data controller you need to have an effective audit trail.

In conclusion if you are relying on consent as you legal basis for processing:

  1. It needs to be an affirmative action
  2. It needs to be clear and unambiguous
  3. The individual needs to be made aware that they can withdraw consent at any time
  4. There needs to be an easy way to withdraw consent
  5. Consent is specific and separate consents need to be obtained for each purpose
  6. Consent needs to be freely given
  7. It needs to be informed