Short answer: GDPR sets strict requirements for consent. It must be freely given, specific, informed, and unambiguous. The user must actively give their consent – pre-ticked boxes or passive acceptance do not count. Consent must be documented and easily revocable at any time – in the same way it was given.
The foundation of trust
Consent is one of the most talked-about – and often misunderstood – concepts in data protection. For many organisations, it’s simply a checkbox on a form. But in reality, consent is the foundation for responsible and lawful processing of personal data. It’s a declaration of trust from the data subject to you as the data controller. That’s why it’s essential to understand how consent should be obtained, documented, and maintained in practice. It’s not just about ticking a compliance box – it’s about accountability.
This blog explores how to properly collect and document consent under GDPR – and why it’s crucial for lawful processing of personal data and building trust in your organisation.
Did you know that rapid response to data breaches can minimise long-term damages and costs associated with customer churn and lost trust?
- www.ponemon.org
Why is consent necessary?
Consent is one of six lawful bases for processing personal data under the GDPR. This means consent is not always required – but in some cases, it’s the only appropriate and legally valid basis.
This is especially true when:
-
You are processing sensitive personal data, such as health information or details about religion or sexuality
-
There is no clear alternative basis, such as a contract, legal obligation, or legitimate interest
-
It’s important for the individual to remain in control of their data and freely decide whether it can be used
Valid consent demonstrates that you respect the individual’s right to privacy and that you manage data responsibly. It’s not just a legal formality – it’s a commitment to transparency and trust. If questions arise later about your processing of personal data, documented consent may be crucial to proving that your practices were lawful and ethical.
Stop the GDPR monster before it gets its hold of your personal data
What must consent include?
Under the GDPR, consent must be a freely given, specific, informed, and unambiguous indication of the individual’s wishes. This means the person must actively agree – and they must understand what they are agreeing to. Silence, pre-ticked boxes, or vague language do not qualify as valid consent.
A valid consent should clearly answer the following:
-
Who is collecting the data?
-
What will the data be used for?
-
What types of data are being collected?
-
How long will the data be stored?
-
Who will the data be shared with?
-
How can the consent be withdrawn?
All of this must be explained in plain and understandable language. People should be able to grasp the consequences of their decision without needing a law degree.
How do you collect valid consent?
Consent must be collected before you begin processing personal data. This can be done through:
-
Forms on your website
-
Emails that include consent wording
-
Newsletter sign-up flows
-
Registration in apps or internal systems
What matters most is that the user actively clicks “yes” — passive agreement or pre-ticked boxes don’t count under GDPR. You must also make it easy for users to withdraw their consent at any time, and you’re required to keep a clear record of when and how the consent was given.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Example of consent wording
A valid GDPR consent must be clear, specific, and informed — and it should leave no doubt about what the individual is agreeing to. Here’s an example of how to phrase a proper consent statement, for instance when subscribing to a newsletter:
“I hereby consent to [Company Name] processing my contact information for the purpose of sending me newsletters. I understand that I can withdraw my consent at any time by contacting [contact details] or clicking the unsubscribe link in the newsletter.”
This wording meets GDPR requirements for voluntariness, clarity, and easy withdrawal. It also clearly states the purpose of the data processing and gives the user genuine control — exactly as the regulation demands.
FAQ on collecting consent
1. When is consent required?
Consent is necessary when no other lawful basis for processing applies — such as in marketing, newsletters, or handling sensitive personal data. If the user must have a real choice, you must collect their explicit consent.
2. What makes a consent valid?
A valid consent must be freely given, informed, specific, and unambiguous. The user must know what they’re agreeing to — and be able to decline without negative consequences. It must also be properly documented.
3. Can we use pre-ticked boxes or implied consent?
No. GDPR requires active opt-in — such as ticking a box or clicking “Accept.” Implied consent, pre-selected checkboxes, or hidden agreements are not valid.
4. How long is consent valid?
Consent remains valid until it is withdrawn. However, it’s recommended to review and renew consent regularly — especially if your purposes or data practices change.
5. How do we document consent properly?
You must be able to show what the user consented to, when and how. This includes the consent text, the timestamp, the stated purpose, and how the user can withdraw it.
6. Can the user withdraw consent?
Yes — and it must be as easy to withdraw as it was to give. Users can withdraw consent at any time, and you must stop the processing unless another lawful basis applies.
7. What about consent from children?
If your services are directed at children under 13 (or under 16 depending on national law), parental or guardian consent is required by default.
Documentation is (almost) everything
Even the most carefully crafted and lawfully obtained consent loses its value if you can’t prove it. Under the GDPR, the burden of proof lies with you — the data controller. You must be able to demonstrate that consent was given freely, was informed and unambiguous, and applies to the specific processing of personal data in question.
That means being able to show:
-
The timestamp – when the consent was given
-
The wording – what exactly the person was told
-
The purpose – what the consent specifically covers
-
Withdrawal – how and when the person can withdraw consent
This documentation must be easily accessible, up to date, and ready to present in the event of an audit or complaint.
The simple way to collect and track consent
Writing a compliant consent statement is one thing — ensuring it’s properly recorded and stored is another. That’s why we built ShareSimple, an Outlook plugin that lets you request and log consent directly from your email communications. With ShareSimple, you can send encrypted emails that include a built-in consent mechanism — and automatically document who gave consent, to what, and when.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
