GDPR rules for obtaining consent

GDPR Consent

The ICO announced their final guidance on what constitutes consent this week and it is not as scary as most organisations think.  There has been a lot of confusion from different sectors on what they need to do with their existing mailing lists.  You don’t automatically need to get fresh consent however you need to be able to do the following:

  1. the user has to opt in in order to give their consent (no pre-ticked boxes);
  2. make your requests for consent prominent and be granular on what they are consenting to;
  3. keep records to demonstrate consent;
  4. make sure the user can withdraw consent easily and at any time;

The GDPR states:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Consent means giving people genuine choice and control over how you use their data. If the individual has no real choice, consent is not freely given and it will be invalid.

This means that people must be able to refuse to consent and not have any negative effect from it and they must be able to withdraw consent at any time.  Consent must also be separate from any of your other terms and conditions of service that you have.

The GDPR is clear that consent should not be bundled up as a condition of service unless it is necessary for that service.