GDPR – Confused about consent


Consent is only 1 of the 6 lawful basis for processing data. You do not always need consent, in fact you are probably better off using another lawful ground.

Author: Nona Bowkis
Reading time: 2 minutes

This article is 4 years old.

Read our disclaimer keyboard_arrow_down

This website content is intended as a general guide to law as it applies to the motor trade. Lawgistics has taken every effort to ensure that the contents are as accurate and up to date as at the date of first publication.

The laws and opinions expressed within this website may be varied as the law develops. As such we cannot accept liability for or the consequence of, any change of law, or official guidelines since publication or any misuse of the information provided.

The opinions in this website are based upon the experience of the authors and it must be recognised that only the courts and recognised tribunals can interpret the law with authority.

Examples given within the website are based on the experience of the authors and centre upon issues that commonly give rise to disputes. Each situation in practice will be different and may comprise several points commented upon.

If you have any doubt about the correct legal position you should seek further legal advice from Lawgistics or a suitably qualified solicitor. We cannot accept liability for your failure to take professional advice where it should reasonably be sought by a prudent person.

All characters are fictitious and should not be taken as referring to any person living or dead.

Use of this website shall be considered acceptance of the terms of the disclaimer presented above.

People, and indeed other legal advisors, still seem a bit confused about consent, so here are some bullet points to put right some of the myths out there.

Consent is only 1 of the 6 lawful basis for processing data. You do not always need consent, in fact you are probably better off using another lawful ground.

Consent is not necessarily required to send marketing materials to your existing clients. If you have been using an ‘opt out’ method, you can continue to do this under GDPR. Your GDPR lawful basis, to send out MOT reminders for example, would be ‘legitimate interest’ and this is perfectly fine as long as you continue to provide a clear way to opt out in accordance with Regulation 22 of the Privacy & Electronic Communications Regulations (PECR).

You should remove data consent clauses from employment contracts as otherwise an employee could withdraw that consent and that makes things tricky. Use legitimate interest, performance of a contract and/or data required for the performance of a legal obligation as your legal basis.

If you do use consent:

  • There must be a positive opt in, so no pre-ticked boxes or any other method of default. 
  • The language must be clear, so the consumer or employee must know exactly to what they are consenting and what you will be doing with their data.
  • It has to be granular. Therefore if you want to market by SMS, email and telephone, you need separate consent boxes for each. A blanket or vague consent statement will not meet GDPR standards so ‘we will share your data with relevant third parties’ is not good enough – you need to name the third parties. 
  • You have to advise people they have the right to withdraw that consent.
  • You must ensure consent information is not hidden within other T&Cs, it has to be transparent and clear. 
  • You must review consent and refresh as appropriate, dependent on it’s context.

Remember, personal data belongs to the individual. They may effectively lease it to you but ultimately it belongs to them and so you need to keep it safe and let them know exactly what you will be doing with it so they remain in control.  However, you do not have to rely on consent to lease that data.

Nona Bowkis

Legal Advisor

Read more by this author

Getting in touch

You can contact us via the form or you can call us on 01480 455500.