The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Consent requirements

If your organisation relies on consent for the processing of personal data, you comply with the GDPR’s consent requirements of being:

  • specific;
  • granular;
  • prominent;
  • opt-in;
  • documented; and
  • easily withdrawn.

Ways to meet our expectations:

  • Consent requests:
    • are kept separate from other terms and conditions;
    • require a positive opt-in and do not use pre-ticked boxes;
    • are clear and specific (not a pre-condition of signing up to a service);
    • inform individuals how to withdraw consent in an easy way; and
    • give your organisation’s name as well as any third parties relying on consent.
  • You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.
  • You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt-in tick boxes or paper-based forms.

Can you answer yes to the following questions?

  • Do staff agree that the records of consent are easy to access, understand and review?
  • Do customers say that you make it easy to understand and manage consent?