• Gdpr
  • April 04, 2022

How to Gain Consent Under the GDPR

Even several years after the introduction of the General Data Protection Regulations (GDPR) in 2018, there is still a lack of understanding about how to gain proper consent to store personal data.  While some SMEs believe they are compliant with the terms of the GDPR, all too often, they are not. In part, this is because the rules around gaining consent can be confusing and complex. Gaining proper consent is not just a matter of asking permission to hold and use data; it is also necessary to explain to the individual (the ‘data subject’) their rights to change their mind at any time.


What are the consent requirements of GDPR?

According to Article 4 of the GDPR, consent is defined as “of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.


Valid and invalid consent

Article 7
states that to gain valid consent:

  • the data controller (i.e. the person who is making decisions about how and why data should be processed) must have a record of the consent for personal data to be used
  • information regarding written consent should be distinct and clear from other matters
  • data subjects should be told they have the right to withdraw their consent - “It shall be as easy to withdraw as to give consent”
  • it must be clear that consent is freely given if a contract is conditional on that consent

‘Freely given’ in this context means that consent is given based on a genuine choice. If it can be shown that consent is given, but the data subject effectively had no choice but to agree to the use of their personal data, this would not be considered valid consent.

Consent may also be deemed invalid if:

  • it is unclear if a data subject gave consent
  • the data subject was not aware they gave consent
  • there are no records showing a data subject gave consent
  • consent was required as a precondition of a service, but the processing is not necessary for that service;


‘Specific and informed’ consent

The GDPR also refers to the concept of ‘specific and informed’ consent.  This means that the data subject has the right to: 
  • Know the identity of the person making decisions about the use of their information (i.e. the data controller and any third party controllers who will rely on the consent given), and; 
  • Consent to different reasons for collecting the data – this means that if the organisation collecting data is using it for several reasons, consent must be given for each reason. 

You can get legal assistance from LawBite

Whenever you collect and use identifiable personal data about customers (like name, email, address and preferences) you need to stay compliant with the law.

If you don't comply, you can be fined by the ICO (Information Commissioner's Office) - up to 4% of your turnover. Or, even more worryingly, the ICO can issue a 'Stop Now' order, which prevents you from collecting or using personal data at all, either permanently or until you have complied with their requirements.

If you are unsure how to gain proper consent for your marketing activities or want to know more about consent requests and the differences between explicit consent, implied consent, informed consent, GDPR consent and valid consent , speak to one of the specialist data privacy lawyers at LawBite. They will be able to guide you through the data privacy law process and help your business be GDPR compliant. Book your free 15-minute consultation here.


Additional useful information

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • February 15, 2022
Data protection and privacy – Employer’s responsibilities

Data protection and privacy laws touch on almost every aspect of HR.  Employers must strike a fine balance in complying with the UK GDPR, Data Prot...

blog image
  • By LawBite Team
  • February 07, 2022
Earning user trust by prioritising data protection compliance

Protecting people's privacy is not only the right thing to do, but it is key in earning trust. In 2022, armed with the knowledge gained from the Ca...

blog image
  • By LawBite Team
  • January 28, 2022
Who Needs a Data Representative in the EU for GDPR Compliance?

Obtaining a GDPR Data Representative in the EU for GDPR compliance is an important consideration that you, as a business owner, must think about.  ...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free