GDPR asking, recording and managing consent


Asking, recording and managing consent

Under the GDPR, a lawful basis needs to be identified and documented before data is processed. This is important as the lawful basis chosen will have a strong effect on an individual's rights e.g. where the University relies on consent to process data, an individual will have additional rights.

The rules around obtaining and evidencing consent are stricter than previously. The Information Commissioner's Office has published the checklist below to help organisations gather, record and manage consent in line with the new requirements under the GDPR.

We will be providing more information. In the meantime, it provides a useful starting point for all University employees to plan for changes they need to make to their personal data processes.

Asking for consent

  • We have checked that consent is the most appropriate lawful basis for processing.

  • We have made the request for consent prominent and separate from our terms and conditions.

  • We ask people to positively opt in.

  • We don't use pre-ticked boxes, or any other type of consent by default.

  • We use clear, plain language that is easy to understand.

  • We specify why we want the data and what we're going to do with it.

  • We give granular options to consent to independent processing operations.

  • We have named our organisation and any third parties.

  • We tell individuals how they can withdraw their consent.

  • We ensure that the individual can refuse to consent without detriment.

  • We don't make consent a precondition of a service.

  • If we offer online services directly to children, we only seek consent if we have age-verification and parental-consent measures in place

Recording consent  

  • We keep a record of when and how we got consent from the individual.

  • We keep a record of exactly what they were told at the time.

Managing consent  

  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.

  • We have processes in place to refresh consent at appropriate intervals, including any parental consents.

  • We consider using privacy dashboards or other preference-management tools as a matter of good practice.

  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.

  • We act on withdrawals of consent as soon as we can.

  • We don't penalise individuals who wish to withdraw consent.