Consent is one of the lawful bases for processing data. So what are the GDPR’s changes to consent? And what are the benefits to putting them into practice?

Implementing GDPR compliant consent practices can do the following:

  • Give individuals genuine choice
  • Give individuals on-going control over their data
  • make your company transparent and accountable

Get this right, and you can build customer confidence and trust. With that you’ll enhance your reputation, improve levels of engagement and encourage the use of new services and products.

The GDPR sets a high standard for these new standards. These standards could impact on the mechanisms you use for consent. Under the GDPR consent must be unambiguous and involve a clear affirmative action.

How has the standard changed?

The GDPR’s definition of consent is similar to the 1998 Data Protection Act (DPA)’s, but adds detail about how it should be given.

The DPA’s definition is:

“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

Whereas, the GDPR definition is:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Unlike the DPA’s definition, the GDPR makes it clear that the indication must be unambiguous and involve a clear affirmative action. Essentially, the GDPR places a greater emphasis on individuals having clear granular choices upfront and ongoing control over their consent.

These changes represent a more dynamic consent. Instead of a one off action; a box ticked and then forgotten about, consent will become an organic ongoing and actively managed choice. You will need to:

  • Use very specific opt in methods
  • Maintain good records of consent
  • Name simple, easy to access ways for people to withdraw consent

Specific provisions have also been introduced on children’s consent for online services and consent for scientific research purposes.

When do I need to request consent?

If you want to use or share someone’s data in an unexpected or potentially intrusive way, or in a way which is incompatible with your original purpose, then you need consent.

You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies and other online tracking methods, or to install apps or other software on people’s devices.

What could happen if I get it wrong?

Mishandle consent and risk undermining trust in your organisation and damaging your reputation. If individuals can’t trust you with their data, they’ll simply take their business elsewhere.

You also leave yourself vulnerable to substantial fines under the GDPR. Infringing the core principles for processing personal data, including consent, are subject to the highest tier of administrative fines. In reality, this could mean a fine of up to €20 million, or 4% of your total worldwide annual turnover – whichever is higher.

Do you need more guidance towards making your business GDPR compliant? Contact our specialists at Mackman today, to organise your GDPR health check.

Alternatively, you can get in touch with us on 01787 388038 or by emailing us at