How does consent work?

Obtaining consent to process someone’s personal data has always been required. However, the GDPR makes it harder for data controllers to obtain it and easier for data subjects to retract it. As stated in the regulation, approval must be given freely, it must be specific, informed and unambiguous. It will not be valid if bundled with other matters, such as in the general terms, it has to be distinguishable from all other matters. Parental consent will be needed in order to process children’s data – at the moment the age limit is set at 16, but there are ongoing discussions for a lower age limit, but not below 13.

So, how exactly does this work?

Data subjects have to be provided with a clear explanation of the processing to which they are consenting.

Under the GDPR, data subjects are permitted to withdraw their consent easily. It should be noted that silence or inactivity cannot be considered consent. As such, pre-ticked boxes for instance, are not considered valid consent.

Consent has to be specific and informed. The controller has to explain the scope and the consequences of the data processing.

Consent cannot be applied to an open-ended set of activities, instead it must be limited to a specific context.

The language used to explain the nature of the data processing activities should be natural and in an easily accessible form.

Do not forget that data subjects have the right to refuse consent and to withdraw it after it was given. Processing of data for legal matters, for criminal investigation or for health concerns are special cases when either it is not required or it cannot be revoked as easily.