Under the GDPR, in order to process personal data a lawful basis must be identified and documented. This is important as the lawful basis chosen will have a strong effect on an individual's rights. Be aware that when the University relies on consent to process data, an individual has additional rights.

The GDPR rules around obtaining and evidencing consent are stricter than the rules of previous legislation. The points below will help you gather, record and manage consent in line with the new requirements under the GDPR.

Asking for consent 

  • Check that consent is the most appropriate lawful basis for processing
  • Make the request for consent prominent and separate from your terms and conditions
  • Make sure that your consent form is separate from your privacy notice
  • Ask people to positively opt in
  • Do not use pre-ticked boxes, or any other type of consent by default 
  • Use clear, plain language that is easy to understand and tailored to your audience
  • Specify why you want the data and what you are going to do with it 
  • Give granular options to consent to independent processing operations 
  • Name your organisation and any third parties using the data  
  • Tell individuals how they can withdraw their consent
  • Ensure that the individual can refuse to consent without detriment  
  • Do not make consent a precondition of a service  
  • If you offer online services directly to children or vulnerable individuals, only seek consent if you have age verification and parental consent measures in place  

Recording consent  

  • Keep a record of when and how you got consent from the individual  
  • Keep a record of exactly what they were told at the time consent was obtained  

Managing consent  

  • Regularly review consents to check that the relationship, the processing and the purposes have not changed  
  • Have processes in place to refresh consent at appropriate intervals, including any parental consents  
  • Consider using privacy dashboards or other preference management tools as a matter of good practice 
  • Make it easy for individuals to withdraw their consent at any time, and publicise how to do so  
  • Act on withdrawals of consent as soon as you can, and within 30 days of the withdrawal request
  • Do not penalise individuals who wish to withdraw consent