GDPR: When do you need to seek consent?

Under the GDPR (General Data Protection Regulation), knowing how and when you need to seek consent can be tricky.

Many people mistakenly think that organisations must get consent to process personal data, but consent is one of six lawful grounds for processing data, and you’d be advised to seek it only if none of the other grounds apply.

The other lawful grounds are:

  • A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.

  • Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.

  • Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).

  • A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.

  • Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.

However, there will be times when consent is the most appropriate lawful basis, so you need to be aware of your obligations.

Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide

The GDPR heralds the most significant change to data protection law in the EU – and globally – in recent years. Download this free green paper to understand the core elements of the Regulation that are subject to the higher-tier fines, and what you need to do to comply with them.

Download now

Opt in vs opt out

The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. In other words, individuals need a mechanism that requires a deliberate action to opt in, as opposed to pre-ticked boxes.

Although the GDPR doesn’t specifically ban opt-out consent, the ICO (Information Commissioner’s Office) says that opt-out options “are essentially the same as pre-ticked boxes, which are banned”.

Examples of lawful consent requests include:

  • Signing a consent statement on a paper form;
  • Clicking an opt-in button or link online;
  • Selecting from equally prominent yes/no options;
  • Choosing technical settings or preference dashboard settings;
  • Responding to an email requesting consent;
  • Answering yes to a clear oral consent request;
  • Volunteering optional information for a specific purpose (such as optional fields in a form); and
  • Dropping a business card into a box.

This list isn’t exhaustive, but the point is that consent requests need the individual to provide a clear positive action.

Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.

The trouble with consent

Under the GDPR, individuals are given more control of their data, which means it can be dangerous and time-consuming to rely on consent.

For instance, if you are using consent to process personal data and you then want to use that data for another purpose, you’ll need to ask for everybody’s consent again. Anyone who refuses to consent or who doesn’t reply must be removed from your records.

Individuals are also free to withdraw their consent at any time, which again means you have to remove them from your records.

If you don’t do this, your organisation risks disciplinary action from the relevant supervisory authority.

Additionally, as Rowenna Fielding writes, if a data subject withdraws their consent and you then realise you have a legal obligation to continue processing the data, you’ll find yourself in a catch-22 situation.

In other words, you’re either forced to breach privacy law by processing that data after consent has been withdrawn or you fail to meet your legal obligation to process that data.

Looking for more GDPR compliance help?

EU General Data Protection Regulation (GDPR) - An Implementation and Compliance Guide, Second Edition

You can learn more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide

The updated second edition of this essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements.

It covers everything you need to know about the Regulation, including:

  • Data subjects’ rights;
  • How to gain lawful consent;
  • Managing consent withdrawal;
  • Fulfilling DSARs (data subject access requests);
  • How to complete DPIAs (data protection impact assessments); and
  • Whether you need to appoint a DPO (data protection officer).
Get started

A version of this blog was originally published on 30 August 2017.

Related Posts

About The Author

Luke Irwin

Luke Irwin is a former writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology.

7 Comments

  1. Ian Brooks 25th August 2018

    Thanks for the information Luke. I see in your article if you are carrying out surveys in a school you would need consent. Would this also apply if the survey has no personal details on it save gender and age??

    Many thanks

    Ian.

    Reply
  2. Mia 21st May 2020

    Great post. I was checking continuously this blog and I am impressed!
    Very useful info particularly the last part 🙂 I care for such info much.
    I was seeking this certain information for a long time.
    Thank you and best of luck.

    Reply
  3. Jackie Topp 27th July 2020

    Very useful but I’m still slightly unsure- is verbal agreement sufficient to allow a charity to hold my details or is a tangible agreement required?

    Reply
  4. Dorian Kelly 5th June 2021

    My local Council anonymises all objections and comments to planning applications, which makes it really hard for the planning committee and othert experts to analyse. They cant tell whether the objections are from other ward councillors or legal experts or professional planners ( which they often are) or from other experts or from members of the public and therefore what weight to give the objections , I have tried putting a sentence in which gives the council full permission to disclose my name but they wont have it. Casn I require the council to publish my data as part of the communication?

    Reply
  5. george power 11th October 2021

    Is a residents association breaking the law if they publish your name and address with map reference without permission

    Reply
  6. NDC Management 23rd January 2022

    Hi Luke Irwin, What a fantastic post! This is so chock full of useful information about GDPR assessment. This is probably the best, most concise step by step guide i have ever read. Thanks for sharing wonderful post with us. Good luck for you bright future.

    Reply
  7. beylikdüzü masaj salonu 6th July 2023

    Your blog has a positive and uplifting atmosphere that brightens my day.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.