ICO has devised a consent checklist* to help you and have broken this down into 3 seperate sections so you can take this one step at a time:

Asking for consent

  • We have checked that consent is the most appropriate lawful basis for processing

  • We have made the request for consent prominent and separate from our terms and conditions

  • We ask people to positively opt in

  • We don’t use pre-ticked boxes or any other type of default consent

  • We use clear, plain language that is easy to understand

  • We specify why we want the data and what we’re going to do with it

  • We give individual (‘granular’) options to consent separately to different purposes and types of processing 

  • We name our organisation and any third party controllers who will be relying on the consent

  • We tell individuals they can withdraw their consent

  • We ensure that individuals can refuse to consent without detriment

  • We avoid making consent a precondition of a service

  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place


Recording consent

  • We keep a record of when and how we got consent from the individual

  • We keep a record of exactly what they were told at the time


Managing consent

  • We regularly review consents to check that the relationship, the processing and the purposes have not changed

  • We have processes in place to refresh consent at appropriate intervals, including any parental consents

  • We consider using privacy dashboards or other preference-management tools as a matter of good practice

  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so

  • We act on withdrawals of consent as soon as we can

  • We don’t penalise individuals who wish to withdraw consent


Follow the steps in each section and at the end you will be able to tell whether or not you are fully compliant in terms of consent. It will also show you whether there are steps you have missed and/or areas still to go. 

 

*This checklist is for illustrative purposes only. You will need to consider the specifics of your organisation, its contacts and your current compliance with both the Data Protection Act AND the Privacy and Electronic Communications Regulation. We do not provide any warranty or guarantee as to the accuracy, completeness or suitability of the information contained in this checklist. We are not liable for any inaccuracies or errors.