Consent Checklist and GDPR
Asking for consent
- Check that consent is the most appropriate lawful basis for processing.
- Make request for consent prominent and separate from terms and conditions.
- Ask people to positively opt in.
- Don’t use pre-ticket boxes, or any other type of consent by default.
- Do use clear, plain language that is easy to understand.
- Specify why you want the data and what you’re going to do with it.
- Give granular options to consent to independent processing operations.
- Name your organisation and any third parties.
- Tell individuals they can easily withdraw their consent.
- Ensure that the individual can refuse consent without detriment.
- Don’t make consent a precondition of a service.
- Seek consent with age-verification and parental-consent measures if offering online services directly to children.
- Keep a record of when and how we got consent from the individual.
- Keep a record of exactly what they were told at the time.
- Review consents regularly to check that the relationship, the processing and the purposes have not changed.
- Implement processes to refresh consent at appropriate intervals, including any parental consents.
- Consider using privacy dashboards or other preference management tools as a matter of good practice.
- Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- Act on withdrawals of consent as soon as possible. .
- Don’t penalise individuals who wish to withdraw consent.
Back to GDPR summary.