Your business's obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.
You will need to refresh them if anything changes – for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough. If your business relies on parental consent, bear in mind that you may need to refresh consent more regularly as the children grow up and can consent for themselves.
Your business should have a system or process to capture these reviews and record any changes.
Your business should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away. Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes. If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
The GDPR gives people a specific right to withdraw their consent. You need to ensure that you put proper withdrawal procedures in place. As the right to withdraw is ‘at any time’, it’s not enough to provide an opt-out only by reply. The individual must be able to opt out at any time they choose, on their own initiative. It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.
ico. Managing consent