Consent Management and GDPR

Updated: Apr 13, 2020

Consent management already existed even before GDPR was born, but the regulation has imposed some changes into consent management and businesses everywhere are learning the importance of it to avoid getting into hot water.

In defining what the word ‘consent’ means under GDPR, Article 4(11) defines this as any freely given, specific, informed and unambiguous indication of the data subject’s requests where they provide a confirmatory action which implies that they agree and give permission for the processing of their personal data.

In article 7 of the regulation, some specific provisions have been elaborated further like

  1. how a record is kept in order to show consent

  2. revoking consent should be as giving it, at any time

  3. if a contract conditional on consent is present, it is highly significant that consent should be given liberally

  4. consents should be precise and can easily be understood

GDPR also has another requirement particularly the controller who handles these personal data that are considered sensitive, in Article 9 of the regulation specified these as explicit data.

If these terminologies in the GDPR articles confuse you, do not fret. We are here to help you out and discuss the terms that you can find throughout the article to ensure that you are fully compliant with GDPR.

Freely Given

If a controller’s legal basis for the processing of data is through consent, then the controller is responsible to give data subjects the freedom to decide whether they want their personal data to be processed or not. It should not be, by any means, forced. To ensure that the data subjects really have the freedom, if there is a disparity between the controller and the data subject exists, like when a controller is a public authority, consent will not be used. Furthermore, contracts and other services must be independent of consent unless the contract requires it.


Article 4 made a statement about how consent should be specific meaning data subjects have the right to be disclosed with all the information regarding their personal data and how they will be processed before they are actually be asked for permission. Because of this, if another purpose would come up in processing the data, consent should be asked to data subjects again.


Consent will be legitimate if the data subject is given complete information like the identity of the controller, the reason for data processing and, how it may affect them in any way – every information that they could possibly need. It should also be noted that the language used to pass on information is understandable by everyone.


Performance of consent management should be positive, confirmatory action to ensure that the data subject’s wishes are clear. This would mean that silent, pre-ticked boxes or inactivity is not considered consent.

Moving forward, let us now elaborate further on explicit consent under processing special categories.

The special categories of data include:

  1. race

  2. political colour

  3. religion

  4. trade-union membership

  5. biometrics

  6. health, sex life and/or sexual preference

These types of data are not allowed to be processed according to the GDPR’s Article 9. Consent will be considered explicit if the data subject should agree and provide a specific confirmatory response regarding this matter. There should be a strict level of compliance among controllers when processing the special categories of data.

Another type of data that belongs to the special category is children. Children that are below 16 years old should have consent from their parents if their data is to be processed in order to be compliant with GDPR. Other states may also revise this requirement and can lower it to up to 13 years of age but not lower than that. Furthermore, the language of the consent should be simple and should be understandable for a child

With regards to consent that have been obtained before the implementation of GDPR, re-obtaining it isn’t needed but controllers should provide all the records and proofs that the consent obtained happened before GDPR.

Consent, however, isn’t mandatory but is a lawful basis for processing. In addition, consent is not the best or the easiest to obtain at all times which is why there are alternatives for consent. The substitutes for consent are contracts, compliance with legal obligations, vital interests, and many more so long as it would still respect the freedom of the data subjects and not step on their rights.

Consent management can be quite complicated. But just because it’s difficult doesn’t mean that it is not doable. ICO recently released a guide with regards to GDPR consent. The responses, however, were contradictory as a lot of people believe that the number of tick boxes that should be given will only cloud the customers’ minds and would go against the requirement of GDPR to provide an easy and understandable form to data subjects. To sum up the foregoing, there is still a lot of work on when it comes to consent management and compliance towards GDPR all-in-all.