Records Management & Information Governance
Obtaining consent under the GDPR
Like the Data Protection Act (DPA) 1998, the General Data Protection Regulation (GDPR) allows organisations to process personal data where they have the consent of the data subject. Under the GDPR, however, the rules around obtaining and evidencing consent are stricter.
The Information Commissioner's Office has published the checklist below to help organisations gather, record and manage consent in line with the new requirements under the GDPR. It is likely this checklist will undergo further revision ahead of the introduction of the Regulation on 25 May 2018 but it does, in the meantime, provide a useful starting point for all University employees.
| Asking for consent | Tick |
| We have checked that consent is the most appropriate lawful basis for processing. | |
| We have made the request for consent prominent and separate from our terms and conditions. | |
| We ask people to positively opt in. | |
| We don't use pre-ticked boxes, or any other type of consent by default. | |
| We use clear, plain language that is easy to understand. | |
| We specify why we want the data and what we're going to do with it. | |
| We give granular options to consent to independent processing operations. | |
| We have named our organisation and any third parties. | |
| We tell individuals how they can withdraw their consent. | |
| We ensure that the individual can refuse to consent without detriment. | |
| We don't make consent a precondition of a service. | |
| If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place | |
| Recording consent | |
| We keep a record of when and how we got consent from the individual. | |
| We keep a record of exactly what they were told at the time. | |
| Managing consent | |
| We regularly review consents to check that the relationship, the processing and the purposes have not changed. | |
| We have processes in place to refresh consent at appropriate intervals, including any parental consents. | |
| We consider using privacy dashboards or other preference-management tools as a matter of good practice. | |
| We make it easy for individuals to withdraw their consent at any time, and publicise how to do so. | |
| We act on withdrawals of consent as soon as we can. | |
| We don't penalise individuals who wish to withdraw consent. |
Source: Information Commissioner's Office, Consultation: GDPR consent guidance.