How to design GDPR compliant consent

As we already discussed in the previous posts of this series consent is one of the five lawful processing means defined in the GDPR, but in the commercial world consent is the most common and most significant approach. In this post we discuss about consent management in detail and also look at design aspects.

The main purpose of consent is to freely offer individuals genuine choice and put in control on his/her personal data processing. Also for organizations process personal data consent provide lawful basis for processing. A well designed consent helps for business to build customer trust and also enhances customer awareness and transparency on data processing, further consent greatly improve the reputation of the business.

The GDPR sets very high standard on consent management, the GDPR defines considerable financial penalties for violations of consent related regulations. Any organization process personal details of an individuals must pay special attention on consent management and future processing on already collected personal data.

The purpose of consent

A processing organization can use consent to legitimize

It’s very likely to use consent for most marketing activities or messages, website Cookies, online tracking methods, to install apps/ software on individuals’s devices. It’s required to provide consent in a such a way that consumers can easily understand that they have consent, and what they have consent to, without any important details hidden with small print.

Also processing organizations cannot email or text to ask for consumer consent because such message itself constitutes a direct marketing messages, there are some real world example cases already exists.

However consent is not an absolute right, there can be legitimate basis to ignore the individual’s consent of data processing. For example you can’t refuse to a bank to share your credit details with public financial authorities, you can’t refuse your employer liability to share your salary details with public tax agencies.

The GDPR definition of consent is remain same as the current DPD definition but GDPR introduce new clause as consent must be unambiguous and involve a clear affirmative action.

1995 DPA Definition

“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”

The GDPR definition

“ any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

Also it should be noted that when the data processing is based on consent, individuals are entitled for very strong set of rights including the right to erase and the right to data portability.

Here is the most important points extracted from above definition.

Freely given — This is a very significant point that helps to decide whether consent is the right choice of a given data processing or not, to use consent processing organization should be in position to offer real freedom for individuals to make a choice on a data processing. For an example most of the cases public authorities can’t give consent freely, another example is employer can’t always provide real choice for employees, in such cases consent should not be used instead organization can one of the five other lawful processing means.

specific — It’s not possible to ask for a generic consent from individuals, consent should be specific on it’s intended purpose, underlying processing approach, what kind of data is processing and how long data will be kept with the business etc.

Informed — An individual should be informed that he/she is consenting to process his/her personal data, additionally the individual should be aware the rights on given consent such as right to withdraw the given consent. Further processing organizations should make sure that language, images, graphics etc. used in the consent are well understood by the individuals, it’s not legitimate to get a consent by misleading individuals or giving hidden information.

Explicit consent

There is a special category of consent called “Explicit consent” which is required to process special category data and automated decision making. The key difference is, ‘explicit’ consent must be affirmed in a clear oral or written statement.

Design principles for consent management

You can refer some of the nice consent prototype created by projectsbyif from here.

Policy on existing consents and data

To prepare for GDPR compliance it’s not compulsory to discard all of your existing consents and get fresh consents from users but it’s absolutely necessary to conduct a review on current consent management process, if the process is in compliance with GDPR then you can consider existing consents are valid and continue on data processing. In case if your consent management process is in compliance with current DPA recommendations you could easily prepare for the GDPR compliance.

In case if you have any doubt on existing consents in related to GDPR compliance, it always a good idea to discard the data and get fresh consent in a GDPR in compliance manner.

Record tracking on consents

On order to demonstrate that you have consent from an individual, processing organizations should maintain following records.

Children’s consents

If the data processing is targeting children and depend on children’s consent, then the processing organization need to consider following two requirements.

Additionally you should ensure the consent can be well understood by children.

Alternatives to consent

When consent is the not the appropriate basis to legitimize the processing one of the following 5 basis can be used.

Checklist for Consent

Consent checklist published by the UK Information Commissioner’s Office can be used to ensure to check whether your consent is in compliance with GDPR or not.

Asking for consent

Recording consent

Managing consent


Integration and Identity Architect & PMC Member @ The Apache Software Foundation, was a Director @ WSO2