Table of Contents
In Short
- Consent is a lawful basis under UK GDPR for processing personal data, requiring informed, specific, and freely given permission.
- Consent must be obtained through clear affirmative action, such as ticking a box or signing a form.
- Businesses must ensure individuals can easily withdraw consent at any time.
Tips for Businesses
Use clear, specific consent forms and ensure consent is actively given. Avoid pre-ticked boxes or default options. Periodically review and update consent, especially for sensitive data, and ensure individuals can easily withdraw consent through the same method it was provided.
‘Consent’ is a common term that is often used but misunderstood in the context of data protection law rules. The UK General Data Protection Regulation (UK GDPR) sets out clear rules on how a business should collect and handle personal data, including rules around the use of consent. A key obligation under data protection law is having a lawful basis for processing personal data. Consent is one of the lawful grounds a business can rely upon to process personal data. A consent form is a document which can help demonstrate that a business has obtained consent validly and to the high UK GDPR standard. This article explores consent under the UK GDPR and how a consent form can help your business comply with these regulations.
What is a Lawful Basis for Processing?
Under the UK GDPR, you must identify and document a lawful basis before collecting personal data.
There are six lawful bases which have the meaning set out below:
- consent: this is where the individual gives clear permission for you to process their data;
- contract: this is where the processing is necessary to fulfil a contract with the individual;
- legal obligation: in this case, the processing is required to comply with the law;
- vital interests: here, processing is necessary to protect someone’s life;
- public task: here, processing is needed for tasks in the public interest or official functions; and
- legitimate interests: In this case, processing serves your legitimate interests, provided these do not override the individual’s rights.
Your business must carefully review and consider the appropriate lawful basis to process personal data. However, consent is not always the best choice and can be challenging to obtain in practice.
What is Consent and Explicit Consent?
Implied consent is invalid under the UK GDPR rules, and your business must show that you obtained informed consent. Under the UK GDPR rules, consent must be ‘freely given, specific, informed, and unambiguous’. This can be hard to demonstrate. Individuals must actively opt in to allow your business to process their data — you cannot infer consent from silence, inactivity, or pre-ticked boxes. You must ensure individuals know who is processing their data and why it is being processed. Individuals must also be informed that they can withdraw consent at any time.
Explicit consent requires a higher standard. You will need a clear, direct statement from the individual, such as ticking a box, signing a document, or giving verbal confirmation to evidence they have given explicit consent. You may seek to rely on explicit consent when processing special category data. Special category data includes health information, racial or ethnic origin, or biometric data. Unlike standard consent, explicit consent requires a direct affirmative action or statement.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What is a Consent Form?
A consent form is a key tool your business can use to obtain valid consent by way of written consent. A consent form intends to record a person’s consent. It enables you to process their personal data on the grounds of consent. The consent form should clearly state why you are collecting the data and how you will use it. You should draft the form in plain language so individuals understand precisely what they are consenting to. You should avoid combining different types of processing into one consent request unless they are closely related.
Your business should design your consent process and forms carefully to ensure individuals actively opt in, such as by ticking a box or signing the form. You should also include information on how they can withdraw their consent at any time.
If you need support with understanding the full information your consent form should contain, you should seek legal advice.
When and How Should You Obtain Consent?
When considering how to use a consent form, you should understand the broader background around obtaining consent correctly.
Your business must obtain consent before processing any personal data on the grounds of consent. You can do this in “real-time” through just-in-time notices. These appear as an individual enters their data or before they submit it for processing. Consent does not last forever, so you will need to review it periodically, depending on the context. If you seek to process data for a new purpose, even if it is similar to the original purpose, you may need fresh consent. If new consent is not feasible, you must consider whether a different lawful basis might be more suitable.
To obtain valid consent, your business should use methods that ensure clear affirmative action. You should make the consent request prominent and separate from other terms and conditions. Your business can use methods like signing a statement, ticking an opt-in box, clicking an opt-in button, or electing preferences through a dashboard. You should ensure the language is clear and concise, explaining why you are collecting data and how you will use it. You should name the controller and any third-party controllers who will rely on the consent as just listing categories of third-party organisations is not enough.
Your business must not use pre-ticked boxes or any type of default consent. You will need to offer separate, granular options for individuals to consent to different purposes or process activities unless it becomes too complex or confusing. You will need to make it easy for individuals to withdraw consent, ideally in the same way they provided it. Your business should also avoid making consent a precondition for a service unless it is genuinely necessary for that service. This ensures individuals have a real choice without being penalised for refusing consent.
This factsheet sets out how your business can become GDPR compliant.
Key Takeaways
A consent form is a key way of obtaining and documenting an individual’s agreement for you to process their personal data under the UK GDPR under the grounds of consent. Your business should obtain consent before processing any personal data on this ground and use effective methods that ensure clear affirmative action. For more sensitive or high-risk data processing activities, you may need explicit consent, which involves a direct and clear statement from the individual. Your consent forms must be clear and specific, and make it easy for individuals to give and withdraw consent. You should regularly review and update the consent you have obtained.
If you need help with a consent form, our experienced data privacy lawyers can assist you through LegalVision’s membership service. For a low monthly fee, you will have unlimited access to our lawyers, who can answer your questions and draft or review your documents. Call us today at 0808 196 8584 or visit our membership page to learn more about how we can help your business stay compliant with the UK GDPR.
Frequently Asked Questions
The UK GDPR is the legal framework that governs the processing of personal data in the United Kingdom. Its core aim is to ensure the protection of individuals’ privacy rights.
Under the UK GDPR, consent is an individual’s clear, informed, and voluntary agreement to the processing of their personal data, which must be given through clear affirmative action.
We appreciate your feedback – your submission has been successfully received.