What does “freely given” actually mean?
Consent is a real choice, without pressure. If the person feels they must agree to get a service, keep their job, or access something unrelated, it isn’t freely given.
Watch for:
-
Imbalance of power (e.g., employer vs. employee).
-
Bundled consent (hiding consent inside Ts&Cs).
-
Pre-ticked boxes or inactivity (silence) being treated as consent.
-
Conditional consent where it isn’t strictly necessary for the service.
If consent isn’t the right fit, consider another lawful basis (e.g., contract, legal obligation, legitimate interests). Don’t use consent just because it feels safest.
The four conditions for valid consent
To rely on consent, you must be able to show it was:
- Freely given – a genuine, unpressured choice.
- Specific – separate options for each purpose (no bundling).
- Informed – plain-language explanation of who you are, what you’ll do, and the person’s rights.
- Unambiguous – a clear affirmative action (no pre-ticked boxes, no silence).
Acceptable ways to capture consent
Controllers should present consent requests clearly and separately from other terms. Examples include:
-
Signed declaration (paper or digital)
-
Unticked checkbox with consent wording on a web form
-
Consent by email (where the message clearly states purpose and the person replies “I agree”)
-
Selecting Yes/No to a specific purpose on a form or portal
- Tip: Always use clear language, avoid jargon, and never make consent a condition of something that doesn’t need it.
Example consent wording (copy & adapt)
Email updates (marketing):
I consent to iProtectU sending me email updates about product news, webinars and offers. I understand I can withdraw my consent at any time by clicking “unsubscribe” in any email or by contacting privacy@… .
Analytics cookies (non-essential):
I consent to the use of analytics cookies to help iProtectU improve this website. You can change your choice at any time in Cookie Settings.
Employee photo on intranet:
I consent to iProtectU using my photograph on the company intranet staff directory. I can withdraw this consent at any time by contacting HR.
- Form Tip: Provide a link to your privacy notice next to the option.
- Form Tip: Use separate unticked boxes for each purpose.
Withdrawing consent
People can withdraw consent at any time, and it must be as easy as giving it.
Good practice:
-
Include a one-click unsubscribe in every marketing email.
-
Offer in-app toggles for optional processing.
-
Provide a simple contact route (email or portal) for other consents.
-
Stop processing that depends on consent immediately after withdrawal and log the event.
Proving consent (accountability)
GDPR requires you to keep evidence of consent. Your records should show:
-
Identity of the data subject (or pseudonymous reference)
-
Date/time and method (form, portal, email, phone note)
-
Exact wording the person saw at the time
-
Purposes agreed to (each one)
-
Source (e.g., page URL/form name/campaign)
-
Who captured it (if staff-assisted)
-
Withdrawal details, if/when withdrawn
Keep these records securely, link them to the relevant data, and set a review period—consent can expire if your purposes or context change.
When not to use consent
Choose another lawful basis if:
-
You can’t offer a genuine choice (e.g., payroll processing—legal obligation).
-
The processing is necessary for a contract the person requested.
-
You would still process the data even if consent is refused (that’s not consent).
-
You need to perform tasks for legal obligations or public interest.
Quick manager checklist
Is consent the right lawful basis here?
Is the request separate from other terms and plain-language?
Are options granular (per purpose) and not pre-ticked?
Is withdrawal as easy as giving consent?
Do we log who/what/when/how and keep the exact wording?
Do we have a review process for old consents?
Are staff trained to recognise and record consent/withdrawal correctly?
Common pitfalls to avoid
-
Pre-ticked boxes or implied consent via inactivity.
-
Forcing consent for unrelated or non-essential processing.
-
Hiding the consent request inside Ts&Cs.
-
Using vague purposes (“improvements,” “marketing”) without detail.
-
No easy way to withdraw, or continuing processing after withdrawal.
-
Failing to keep evidence.
How iProtectU helps with GDPR
IIRSM-approved GDPR awareness training – assign our IIRSM training to staff/managers, track completion, and schedule refreshers.
Policy & document management – publish privacy notices, retention schedules and procedures using our document management software; version control ensures a full audit trail.
Vendor/processor records – store contracts, data processing agreements and due-diligence checks.
DPIAs & risk logs – consistent templates, actions and reviews to manage high-risk processing.
Tasking & reminders – owners, due dates and renewals for RoPA, DPIAs, policy updates and vendor checks.
Dashboards & reporting – real-time view of training, policy acceptance, actions and expiries for audit readiness.
Combine training + policy management in one platform and you’ll close the loop from awareness to evidence.
Next in the series (Part 3): Sensitive or special category data
This article provides general guidance and is not legal advice.
Next in the series (Part 3): Sensitive or special category data.
Missed Part 1? Click here to read: GDPR basics for managers — why it matters and how iProtectU helps.
GDPR FAQs
OurFAQs guides enable you to make informed decisions about how our health and safety software can benefit your organisation.
For anything else please request a demo, call or send us an email.
You must stop the processing based on that consent and log the withdrawal. Keep a record that consent was previously given/withdrawn.
No. Consent must be an opt-in via clear affirmative action.
The UK applies the UK GDPR alongside the Data Protection Act 2018; it mirrors GDPR principles closely. If you operate across regions, design for the higher standard.
No. Consent must be specific—give separate choices for each purpose.
No. Consent is one of six lawful bases. For many HR or service-delivery activities, contract or legitimate interests may be more appropriate—document your choice.
A Data Protection Impact Assessment evaluates high-risk processing (e.g., large-scale monitoring, special category data). It documents risks and the measures you’ll put in place.
If a personal data breach is likely to risk people’s rights/freedoms, report to the supervisory authority within 72 hours and inform affected individuals when required.
Yes—book a free demo and we’ll tailor a walkthrough to your industry, data and processes so you can see how iProtectU fits your organisation.
Refresh when your purposes, technology or context change, or when consents become stale for the risk involved.