Consent refers to a process by which an organization obtains direct permission from individuals before processing their data. Though it is one lawful basis for processing data, there are many situations in which it will not be a requirement to obtain consent. In instances when it is necessary and/or beneficial, it is important to understand what constitutes valid or explicit consent in order to be in compliance with the General Data Protection Regulation (GDPR). As described by the Information Commissioner’s Office (ICO), consent “means offering individuals real choice and control; genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
The assurance of privacy and security, for many individuals, is absolutely crucial when it comes to the management of their personal information, and asking for consent can be a reliable way to offer full transparency and control over how their data is being used. Additionally, obtaining explicit consent can make performing automated transactions more convenient and expeditious for both the organization and the individual. However, an organization should seek an alternative lawful basis for processing if it cannot genuinely offer the individual a choice, or in situations when it would otherwise process the data without the individual’s consent.
If consent is the most appropriate basis for processing data, an organization must also adhere to strict criteria laid out by the GDPR in order for it to be deemed valid. They should be able to demonstrate that the consent was freely given through a positive action, and that the individual was presented with a choice in clear, uncomplicated terms. Consent requests should also remain separate from standard terms and conditions, and be “clearly distinguishable from other matters.” In cases where explicit consent is required, such as the transference of more sensitive personal data, consent must be expressed by the individual in words, and will not be valid if given by any other positive action.
It’s important to note that a determination of validity is not limited to how consent is obtained, but also how it is managed within an organization. All expressions of consent must be well documented and accessible. Because of the emphasis placed on the individual’s ability to choose what happens to their data, an organization must allow for consent to be withdrawn at any time, and may not change their legal basis for processing after such a request has been made. For similar reasons, requiring an individual’s consent as a precondition of service is also not advised, and should be recognized as counterintuitive to the value of consent as a lawful basis for processing.