The murky world of consent & opt-in

The murky word of “consent” is one of the next big changes to evolve the data protection landscape.

Consent to store an individual’s personal data can get a little wordy. It is filled with legal jargon and is also the area of the GDPR law that the ICO have stated will “be subject to the highest tier of administrative fines”; so here we will break down the barriers to help you understand the requirements.

No longer can consent be “implied”, it must be “explicitly” given using “clear plain language”, for which you will need to keep proper records. The GDPR will ban the use of pre-ticked opt-in boxes, which are common place online.

Individuals will be entitled to know all of the ways in which organisations use their personal data, what purpose they require it for and who they intend to share it with.

Also, be aware that consent can be withdrawn at any time and under the “Right to be Forgotten”, An organisation must delete any data at the request of the data subject.

However, “Consent” can be split into three categories for ease of understanding; Opt-in, third party consent and lawful grounds for processing other than consent.

Opt-in consent

(as advised in guidance released by the ICO in March 2017), your customers, beneficiaries or data subjects must give consent for specific purposes and no, you cannot hide this in terms and conditions, buried in the depths of a page somewhere in your organisations website; it must be in clear, plain language.
It is also stated in the E-privacy directive (for email, SMS communications), you also require explicit consent, no opt-outs.

Third-party consent

Clear contractual statements and standards, must be included in contracts; Do: third party supply chain assessments, Privacy Impact Assessments, to know what your suppliers, contractors are going to do with your customer, beneficiaries or data subjects data.

Lawful grounds

Can be considered to be any of the following grounds; Vital interest, Lawful basis, Contractual, Legitimate interest, except for sensitive data; where lawful, vital or contractual are the only basis

As a rule of thumb; Only use explicit consent as a last resort, as this can be withdrawn at any time.


Now we have ascertained how to gain consent; there were some other terms we mentioned, to which you probably wondered, “What’s the e-privacy directive?” and “What’s a Privacy Impact Assessment?”, we’ll cover these in the be.GDPR modules.

Oh and one last point! The GDPR legislation contains specific details on the processing of data regarding children. Consent must be given or authorised by a person with parental responsibility for the child and notices addressed to children must be child friendly.

Also recently published