what is consent and consent managment

What is consent?

In the context of the General Data Protection Regulation (GDPR), consent is one of the six lawful bases for processing personal data.

This means, when it comes to personal data processing, there are several available legal grounds you can rely on. You are not necessarily obligated to obtain consent for processing personal data, as long as your processing is based on one of the legal basis and you can assure the lawfulness of processing.

However, most organizations will find that if they want to continue with their usual processing activities, for example, marketing activities, they will have to obtain consent that meets certain conditions.

The GDPR offers further clarification of the concept of consent, while EDPB guidelines provide more insight into the practical side. We will go over them and cover requirements for proper consent as well as consent management.

Consent as one of the lawful bases for processing

Before you start to process personal data, you should identify and document a valid lawful basis for collecting, processing, storage, or usage of personal data.

Generally, consent can only be an appropriate lawful basis if the individual is offered control and a genuine choice when accepting or declining the terms that are offered.

Relying on consent is by no means an easy option for processing personal data. It involves a lot of elements that need to be satisfied for consent to be GDPR compliant.

Choosing the right lawful basis will depend on the purpose of the processing and specific circumstances. In some cases, you will conclude that consent is the only proper way to collect data.

Elements of compliant consent

Consent is any freely given, specific, informed, and unambiguous expression of the individual’s choices regarding the processing of their personal data for one or more specific purposes, by a statement or by clear affirmative action.Characteristics of compliant gdpr consent

The purpose is to give individuals control over their data. So, the right question to ask when collecting personal data is: “Have you given the individual a real choice and real control over the processing of their data?”

1. FREELY GIVEN

Freely given consent means you have presented data subjects with a genuine choice and made it possible for them to refuse or withdraw their consent at any given time. Individuals shouldn’t be misled or intimidated into giving consent.

However, there are a few situations where it is arguable if consent can be considered freely given. This applies to situations where there is an element of pressure or compulsion.

For example, in employee-employer relationships, where there is an uneven distribution of power, employees can give consent to avoid unpleasant situations at work, and in that case, this consent will no constitute as GDPR compliant consent.

If an individual wants to withdraw their consent, they should be able to do so at any time in the easiest possible way. As a rule of thumb, they should be able to withdraw it as easily as they gave it. When you collect consent, you should also notify your contacts of the way they can withdraw it.

2. SPECIFIC

For consent to be considered specific it must be distinguishable from other matters and cover all processing activities. If there are multiple purposes, then consent has to be given for each specific purpose. This means you should separate your terms and conditions from each specific consent.

Consent may cover different operations, as long as these operations serve the same purpose. In any other situation, you have to provide a separate opt-in for each purpose.

In order to comply with the element of specific, you must apply granularity in consent requests and a clear separation of information related to obtaining consent from information about other matters.

3. INFORMED

Informed consent entails that the data subjects are informed about what they are agreeing to before you collect their consent.

Disclose the identity of the controller and purpose of the processing along with all necessary information of the processing activity in clear and plain language so it is easily understandable and individuals are familiar with the significance of their consent.

4. UNAMBIGUOUS

Consent should be given by a clear affirmative action that should leave no doubt that the individual intended to give consent.

This means that valid consent requires action from an individual, including ticking the consent box, signing a statement, or giving your consent verbally. Silence, pre-ticked boxes, or inactivity do not constitute as consent.

Explicit consent

Explicit consent is required in situations where there is a potentially serious data protection risk, and the situation requires a higher level of control over processing personal data.

You will have to obtain explicit consent when processing sensitive personal data, transferring data to third countries or international organizations without appropriate safeguards, and for automated individual decision-making, including profiling.

The main difference between consent and explicit consent is in the form or way they are given or expressed by the data subject. The data subject can give consent either by a statement or by clear affirmative action. When consent is given by a statement, it is considered to be explicit.

For more information about explicit consent and differences between regular and explicit consent read guidelines on explicit consent.

Additional requirements for valid GDPR consent

As a controller, you are obligated to demonstrate valid consent. This means you are obligated to document and manage collected consents and keep records of consent.

For example, you will have to document the date when the consent was given, the name of the data subject, the information you communicated, in which form consent was given, and for which purposes.

Since managing consents manually has proven to be an almost impossible task, in the long run, automation remains the only proper way to manage consents in a GDPR compliant way.

Consent Management Platform (CMP), such as the DPM Consent and Preference management module, helps you collect and handle personal information in a GDPR compliant way, enabling you to track, monitor, and respond to the data subject’s request and consents preferences and demonstrate compliance.

What is Consent Management Platform and Why You Need it