Consent to use data under the GDPR

There are six bases to legally process an individual’s data under the General Data Protection Regulation (“GDPR”) and offering people genuine choice and control over how their data is used ie by consent, is one of them.

This article reflects the draft guidance on consent issued by the Information Commissioner's Office (“ICO”) in March 2017 (“Guidance”). A final version of the Guidance is due to be published in June 2017, although this timescale may be affected by developments at European level. However, it is unlikely to change dramatically before the GDPR comes into force on 25th May 2018.

What’s new regarding consent under the GDPR?

The biggest change is that the GDPR sets a higher standard for consent than under the Data Protection Act 1998 - an indication of consent by an individual must now be ‘unambiguous’ and involve ‘a clear affirmative action’.

The other main changes are:

So how is valid consent to use data obtained?

What is not allowed?

How should consent be recorded and managed?

Why is it important to get valid consent?

Whether you base processing of customer data on GDPR-compliant consent or rely on inappropriate or invalid consent can have different consequences: 

What alternatives are there to process data lawfully other than by obtaining consent?

You can process personal data without consent if it is necessary for:

Remember that even if you are not asking for consent, you will still need to provide clear and comprehensive information about how you use personal data, in line with the ICO’s Code of Practice on Privacy Notices, Transparency and Control.

Further information

Additional details can be found in the Guidance itself.

We have also written some other articles on the GDPR: The Impact of the General Data Protection Regulation, in relation to limitation of liability and indemnities in the special context of data security, The General Data Protection Regulation - Apportioning Security Risk, and also on a related data protection matter, the EU-US Privacy Shield.

Otherwise, if you require any further information or have any queries on this topic, please contact us at

26th April 2017

back to archive