Consent for data processing is obtained directly from individuals before an organization can process their data. In many situations, consent will not be required, regardless of the legal basis for processing data. To be in compliance with the General Data Protection Regulation (GDPR), it's important to know what constitutes valid or explicit consent when it's necessary and/or beneficial to obtain it. According to the Information Commissioner's Office (ICO), consent is about providing individuals with real choice and control. Authentic consent should make individuals feel in control, build trust and engagement, and enhance the company’s reputation. 

It is crucial for many individuals to have a level of assurance regarding privacy and security when managing their personal information, and asking for consent can be an effective way to monitor and control how their information is used. Additionally, obtaining explicit consent can facilitate and expedite automated transactions for organizations and individuals. Nevertheless, it should consider alternative legal grounds if the organization cannot provide a genuine choice to the individual or if the organization would otherwise process the individual's data without their consent.

Consent from the User

To be deemed valid, consent must also meet the strict requirements laid out in the GDPR. A consenting individual's free and informed consent should be demonstrated through positive action, and a clear, simple choice should be offered. As with terms and conditions, consent requests should not be part of standard terms and conditions. Where explicit consent is necessary, such as the transference of more sensitive personal information, consent must be given verbally and cannot be implied by any other positive action. 

Consent Management

In addition to how consent is obtained, an organization's management of consent also determines its validity. Every expression of consent must be adequately documented and easy to find. The law places a high value on an individual's ability to control how their data is used; thus, organizations must allow individuals to withdraw their consent at any time and cannot change their legal basis after an individual withdraws their consent. It is counterintuitive to the value of consent as a lawful basis for processing to require an individual's consent as a requirement for service for similar reasons.