Last month, companies working toward compliance with the European Union’s General Data Protection Regulation (GDPR) received guidance about the new law’s consent requirement. The Article 29 Working Party, the advisory body that oversees data protection in the EU, issued a paper that provides practical advice about steps companies must take to ensure the consents for data processing they obtain from consumers are valid under the GDPR.

The GDPR provides that for consent to be valid, it must be freely given, specific to the stated purpose for the processing, informed, and based on a clear, affirmative indication given by the data subject. The document provides advice about how regulators interpret these provisions, and how the requirements practically should be met.

The guidance outlines the six pieces of information companies must provide in order to obtain “fully informed” consent – (1) the identity of the data controller; (2) the purpose of each processing action for which the consent is sought; (3) what data the controller will collect based on the consent; (4) the fact that the data subject can withdraw consent; (5) information about the use of the personal data for decisions based solely on automated processing, including profiling; and (6) if the data is being transferred outside of the European Economic Area, information about the possible risks of personal data transfers to third-party countries in the absence of an adequacy decision and appropriate safeguards.

The GDPR also requires that consent must be unambiguous, and requires a data subject’s “clear affirmative action” to signify agreement to the processing. The guidance emphasizes that consent can only be given for the specified use of the data, and that data controllers – who must be able to demonstrate that consent has been validly obtained – are free to develop methods to do so in a way that is fitting with their daily operations. It sets out specific requirements for data collected from children, advising that data controllers must obtain parental consent to such collection, and should adopt an approach to gaining parental consent that is based on the risk associated with the processing and the available technology solutions.

Companies that rely on consent as the legal basis for processing under the GDPR should carefully review this advice. While the GDPR provides other bases for the legal processing of personal data, companies often look first to consent. The Article 29 Working Party’s guidance can help companies determine whether the measures they have implemented are sufficient under the new law, or whether they need to consider additional steps as the May 2018 deadline approaches.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact