Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. News and events
  3. Law Society news
  4. GDPR – Changes to consent and what they mean

GDPR – Changes to consent and what they mean

17th November 2017 | Professional support | Data protection

Domhnall Dods, regulatory solicitor and GDPR expert at Towerhouse and member of the Law Society’s Privacy Law Committee, explains the changes to rules around consent in the General Data Protection Regulation (GDPR).

One of the aspects of the GDPR which has grabbed the most attention is the changes which are being made to the use of consent as a ground for justifying the processing of personal data.

It is a widely held belief that in order to process personal data you must have consent, but this is not the case. Perhaps for this reason there have been many comments about the new rules on consent ‘crippling’ businesses that rely on processing personal data.

There are in fact six grounds which can be used to justify processing; consent is just one of those (read more about the other legal bases for processing personal data).

Consent – what has changed and why are some people concerned?

The GDPR will introduce more stringent rules around consent, meaning organisations will need to reconsider how they go about obtaining consent, or perhaps, whether they might be better looking to one of the other five grounds open to them.

Under the GDPR, consent must be freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)), otherwise it will be invalid.

“Freely given” – this means that the data subject must have a genuinely free choice about consenting. If they are unable to access a product or service, or are disadvantaged by withdrawing or refusing their consent, then there is a presumption that the consent was not freely given.  Consent is also not considered to be freely given if there is a power imbalance  between data controller and data subject - eg the relationship between an employer and an employee.

“Specific and informed” – this means the individual has to be given sufficient information about the identity of the controller and the purposes of the processing. Consent has to be specific to each processing activity. Where different activities are taking place, consent must be given to each separately.

A request for consent must be “clearly distinguishable” from other matters in a written document where other matters are covered, eg in terms and conditions of service. It must also be clearly presented in plain language.

One of the most important changes to be aware of is that under the GDPR, consent can only be given by an affirmative action. This will mean, for example, that the use of opt-out or pre-ticked opt-in boxes is no longer acceptable.

Consent also needs to be verifiable – data controllers must now maintain records so that the consent can be verified.

Withdrawal of Consent

This is another new concept. Article 7(3) gives data subjects the right to withdraw consent at any time and it must be as easy to withdraw consent as to give it. Not only that, but controllers must inform data subjects of their right to withdraw before the consent is given. If consent is withdrawn, data subjects have the right to have their personal data erased and the data can no longer be used for processing.

Age of consent

There are also new protections for children – the GDPR limits the ability of children to consent to processing unless parental authority is given. The age of consent is set at 16 but Member States can set a lower age subject to a minimum of 13. The UK has said it intends to set 13 as the age of consent and this is set out in the Data Protection Bill.

Conclusions

Given the more stringent rules around consent, it remains to be seen whether it continues to be the legal basis of choice for those processing data. The most important thing to consider when processing data remains whether at least one legal basis for the processing has been identified.

This blog represents the personal views of the author, not of any client. It is not to be taken as legal advice.

GDPR blog

Tim Musson, Convener of the Law Society of Scotland’s Privacy Law Committee, explains why the General Data Protection Regulation (GDPR) is all-important for law firms.

GDPR Personal data breaches

Anna Drozd, policy adviser on professional issues at our Brussels Office, explains what personal data breaches are and how to report them under the GDPR.

GDPR legal basis and why it matters

Carolyn Thurston Smith, policy executive at the Law Society of Scotland, explains the legal bases in article 6 of the General Data Protection Regulation (GDPR).

GDPR data protection officers

Dr Kenneth Meechan, member of the Law Society of Scotland’s Privacy Law Committee, explains the new rules on data protection officers and sets out some important tasks which all law firms should consider.

GDPR

Our guide to data protection from the perspective of a legal practice

Read more about GDPR
Add To Favorites

Additional

Categories

  • New lawyers
  • Law Society news
  • Regulation
  • Research and policy
  • Legal aid
  • Professional support
  • Wellbeing
  • Business support
  • Equality and diversity
  • International
  • In-house lawyers
  • Schools
  • For the public
  • Videos
  • Fraud alerts
  • Career growth
  • Member benefits
  • Law and technology
  • Professional skills courses
  • Aberdeen
  • Edinburgh
  • Glasgow
  • Perth
  • Inverness
  • Commercial skills for young professionals
  • Roadshow
  • CPD event
  • Working in-house
  • Public Policy Committee
  • Roadshows
  • careers
  • property (non-commercial)
  • licensing
  • Journal online news
  • Sustainability
  • Policy committees

News Archive

  • 2025
  • 2024
  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013

Related articles

  • Law Society members reach new career heights
  • New partnership bolsters Law Society sustainability commitment
  • Spring celebrations for newly accredited Law Society members
  • Celebrations at first banking and finance paralegal accreditation
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited