GDPR Article 7 deals with the ‘conditions for consent’ that need to be met, in order for it to be established that an organisation has gained the requisite authorisation prior to processing an individual’s data.
Conditions for Consent
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Conditions for Consent
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Consent is dealt with throughout GDPR Article 7 across 3 key areas:
Organisations need to gather consent in way that makes it easy for PII subjects to request information on how it was obtained (timestamps, who requested it etc.) (see ISO 27701 Clause 7.3.3).
Consent relies on three underlying legal stipulations: it needs to be freely provided, relating to the reason for processing and clear in its intent.
Organisations need to provide a mechanism that outlines the rights of any PII principal who wishes to withdraw consent, along with instructions on how to do so that are in alignment with the methods used to collect PII (e.g. email, telephone).
PII principals should also be able to ‘modify’ consent – i.e. restricting the controller from performing certain actions, such as deleting PII. Such requests should be documented in accordance with procedures for the removal of consent.
Organisations should commit to a published response time for all modification or withdrawal of consent requests.
Organisations need to obtain permission from the PII principle before utilising any data provided for marketing or advertising purposes, and ensure that acceptance of such a use is not a prerequisite to PII being processed.
Marketing and advertising stipulations should be clearly documented in any contracts or service agreements, in line with the above purpose.
Organisations should seek ‘express consent’ that is based upon a transparent and up-to-date representation of how PII is to be used.
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Article 7 (1) and 7 (2) | ISO 27701 7.2.4 | None |
| EU GDPR Article 7 (3) | ISO 27701 7.3.4 | None |
| EU GDPR Article 7 (4) | ISO 27701 8.2.3 | None |
The ISMS.online platform includes built-in guidance at each step, combined with our ‘Adopt, Adapt, Add’ implementation approach, so demonstrating your GDPR compliance is significantly easier. You will also benefit from a range of powerful time-saving features.
Using our intuitive platform, you can map your work across multiple standards and frameworks so that you can achieve multiple information security and privacy goals in a minimum amount of time.
If at any point in your journey toward GDPR, for whatever reason, you feel a lack of confidence, ability or drive to take action, we can make our team of in-house experts available to you or recommend one of our trusted partners to assist you in achieving your goals.
Find out more by booking a short demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
