Consent is used by many organisations as the default option when it comes to the legal basis for processing personal data. Using consent can often provide certainty for organisations that their legal basis for processing the personal data of the individual is sound.

However, consent under the GDPR is changing, and these changes are likely to mean that consent will be less straightforward to rely upon and may not be the most appropriate legal basis for processing personal data. Controllers will need to review existing mechanisms for obtaining consent to ensure that they are valid and appropriate under the GDPR.

The first key change is that the GDPR is raising the bar to a higher standard for consent. Consent under the GDPR requires a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. The GDPR clarifies therefore that pre-ticked opt-in boxes are not valid consent. The GDPR also makes it explicit that consent must be as easy for people to withdraw as it was to give. If your organisation relies upon consent to process personal data, you will need to review the consent you already have to ensure it meets the standards of the GDPR, if it does not then fresh consent will need to be obtained (that is assuming consent is the appropriate legal basis for processing the personal data).

The second key change is that consent may no longer be the appropriate legal basis for processing data. The ICO has issued draft guidance on the use of consent which states that consent will not always be the easiest or the most appropriate legal basis for processing. Whilst the guidance is still in draft form (pending the release of European Guidance on the use of consent due by the end of the year) the ICO has stated that it is unlikely that the guidance will change significantly in its final form. Two of the key points for controllers to note from this guidance are:

  • Consent should not be used where there is an imbalance in the relationship between the controller and the data subject. The specific examples given in the guidance are where controllers are public authorities dealing with members of the public and employers dealing with employees. This is because individuals may feel compelled to provide consent for their personal data to be processed for fear or not being provided with a service or for fear of losing their job.

  • Controllers should always choose the lawful basis that most closely reflects the true nature of the relationship with the individual and the purpose of the processing. This will not necessarily be consent. There are five other legal bases for processing personal data which may be more appropriate, for example, the performance of a contract or the legitimate interests of the controller. Consent should only be used where no other lawful basis applies. The key issue for your organisation in determining whether consent is the appropriate legal basis is to determine whether you would still process the personal data on a different lawful basis if consent were refused or withdrawn. If so, then consent is not the appropriate legal basis for processing the personal data.

It is clear therefore that you will need to identify the most appropriate lawful basis for your processing activity from the outset, and only obtain consent from the data subject where there is no other more appropriate legal basis.

If you’d like the Information Law Team to review your current consent mechanisms, provide you with amended consent wording, or to talk to you about the appropriate legal bases for processing personal data just contact Lowri Phillips.

If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide.

Coming Soon

Geldards are delighted to announce that to help organisations to comply with the GDPR we will shortly be launching our online GDPR e-learning solution. A cost effective and easy access learning option, the course complements the expert legal advice we provide, with a training resource specifically designed to deliver an understanding and insight into GDPR for your entire workforce.




Geldards successfully advises on BioCity Group acquisition
Geldards is proud to have successfully advised on a landmark deal for the city.


Employment Cardiff Webinar Series - The Post Covid-19 Workplace
Geldards Cardiff Employment Team invite you to a series of events looking at the key considerations for the post Covid-19 workplace:


Transforming the lives of children and young people with special educational needs and disabilities
Parents of children with a disability often face significant uncertainty and struggle when seeking to secure an appropriate education and care package for their child. Each educational milestone and life stage can present fresh challenges.


Salus – Wealth and Family Protection
Salus Magazine is brought to you by the Private Client team at Geldards to help you protect your wealth and family.


Lowri Phillips


Partner, Cardiff

+44 (0)29 2039 1758


Hayley Lewis


Head of Knowledge Management, Cardiff

+44 (0)29 2039 1785


Helen Snow


Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497