People can give consent for their data to be processed. This provides a robust basis for processing for the data controller to justify their activities.

However, gathering consent comes with certain obligations. Consent should only be used as the basis of processing if none of the other options are available or you want to provide individuals with genuine choice.

The GDPR raises the bar for what constitutes a “proper” consent, ensuring that the consent has been given freely and with full knowledge. This means that certain common practices that have been used by organisations in the past are no longer allowed.

If you are asking for consent to process personal data, you must meet the following criteria;

• Giving consent must be a positive, transparent process. This means that confusing methods, such as pre-ticked consent boxes, asking trick questions with reversed meaning or double negatives are no longer valid. It must be clear to the business and the data subjects that consent has been given and what for.
• Consent must be a separate process that is clearly separated from any terms and conditions and cannot be bound to accepting other processes that do not require consent. You must not punish data subjects for not giving consent, it must be freely given. This means that you cannot bury the consent question inside a block of unrelated text, you cannot make consent a condition of another service and you cannot make an unrelated service perform worse if consent is not given to an unrelated service. Consent must be a real choice. For example, it would be unacceptable to make consent to receiving marketing a condition of an online book purchase and deliver the book more slowly if consent was not given.
• You must explain what you need the consent for and how you will be using the data subject’s data. You must give details about which organisations will gain access to personal data when consent has been provided. This might be your organisation and any third parties involved in your process.
• You cannot gather a “blanket” consent that covers all your activities, it must be specific and informed. For example, if you need consent to send marketing materials to your customers and also to take photos of people you’ve invited to a conference as a part of a competition, then you must gather a distinct consent for these two business processes.
• You must make it clear that data subjects can withdraw their consent at any time without penalty. As a general principle, the process that the data subject uses to withdraw their consent should be as easy as the process to give consent in the first place. It would be unacceptable to gather consent online but make the data subject write to a customer services department to withdraw that consent.
• Finally, when you gather consent, you need to have good records of what the data subject was asked and how they gave their consent. The emphasis is on the organisation to prove that consent was given in line with the regulations.

If you fail to gather consent according to these criteria, you risk finding out in the future that your consent is not valid, leaving you without a valid basis of processing.

In summary: If you gather consent, the data subject must know what they are giving, be happy with giving it and must be able to withdraw it at any time. If managed badly this could undermine the trust and reputation of your business.

It is generally accepted that consents that have been given in the past may not meet the high standards imposed by the regulation. You do not need to go out to these data subjects and gain their consent if you have another basis for processing or you decide to stop processing the data, but you must not kid yourself that you have GDPR level consent. You should consider whether you have another basis for processing, such as legitimate interests, as this may be a more appropriate position to take.

On this point, it is worth noticing that the regulations make it explicitly clear that processing data for the purposes of direct marketing is allowable under the basis of Legitimate Interests.