GDPR Consent Checklists - Asking and Withdrawing Consent

European Flag GDPR Mailjet

Consent Checklist and GDPR

Asking for consent

 

  • Check that consent is the most appropriate lawful basis for processing.
  • Make request for consent prominent and separate from terms and conditions.
  • Ask people to positively opt in.
  • Don’t use pre-ticket boxes, or any other type of consent by default.
  • Do use clear, plain language that is easy to understand.
  • Specify why you want the data and what you’re going to do with it.
  • Give granular options to consent to independent processing operations.
  • Name your organisation and any third parties.
  • Tell individuals they can easily withdraw their consent.
  • Ensure that the individual can refuse consent without detriment.
  • Don’t make consent a precondition of a service.
  • Seek consent with age-verification and parental-consent measures if offering online services directly to children.

Recording consent

 

  • Keep a record of when and how we got consent from the individual.
  • Keep a record of exactly what they were told at the time.

Managing consent

 

  • Review consents regularly to check that the relationship, the processing and the purposes have not changed.
  • Implement processes to refresh consent at appropriate intervals, including any parental consents.
  • Consider using privacy dashboards or other preference management tools as a matter of good practice.
  • Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  • Act on withdrawals of consent as soon as possible. .
  • Don’t penalise individuals who wish to withdraw consent.

 

Back to GDPR summary.