< Back
You are here:

Consent is provided by the data subject as a means of granting the organisation permission to carry out a specific processing activity.  It provides the greatest level of control to the data subject, but is arguably the most difficult of the lawful basis to manage operationally.

The organisation must be able to demonstrate that it has obtained the consent of the data subject, therefore records must be maintained for when consent is both obtained and withdrawn.

For consent to be valid in must be specific and informed, so the data subject must know what they are consenting to and the consequences of their consent.  It should not be vaguely worded to allow extended processing. 

Consent must be freely given, so consent should be avoided in situations where the data controller has a level of power over the data subject (i.e. in employment situations).

Consent must be evidenced through an affirmative action, for example asking a data subject to ‘untick a box’ to avoid marketing would be unlawful as this requires an affirmative action to avoid the consent.

Consent should be as easy to withdraw as it was to be given in the first place.

Mark Roebuck

Mark Roebuck

Building a career around data led programme management Mark recognised that existing data compliance solutions were complex and difficult for clients to use. Frustrated with the options he founded ProvePrivacy to provide an effective and simple to use data protection compliance solution.

Copyright:  All information and articles provided represent the views of ProvePrivacy Limited and our contributors.  They do not constitute legal or data protection advice. All rights reserved.

You Might Also Like