FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

1 Concent Checklist


DATE:                                  ________________­

NAME OF AUDITOR:   _________________________

AUTHORISED BY:        ________________­­­­_________

Have you reviewed the 6 lawful bases for processing to determine if consent is the most applicable for your processing requirements?
Does using consent as your lawful basis most closely match your relationship with the individual and your purpose for processing?
If processing ‘special category data’, have you reviewed all Article 9(2) (& DPA18 schedule 1) conditions to ensure that explicit consent is the most appropriate?
If the processing is related to marketing; have you reviewed the relevant e-privacy laws to ensure you understand when consent is required?
Have you reviewed whether you will still need to retain any of the data for any other purpose if the individual withdraws their consent?
Have you ensured that giving consent is not a precondition of accessing your services or goods?
Have you ensured that you are not in a position of power over the individual giving consent or that there is not an imbalance in the relationship?
2. CONSENT COMPLIANCE (once you have determined that consent is the most appropriate lawful basis)
Have you documented your assessment of the lawful basis to evidence that consent is the most appropriate basis?
Have you clearly defined what the individual is consenting to?
Have you verified that the consent complies with the GDPR/DPA18 standard?
Do you offer individuals real choice and control over how you use their data?
Is the consent mechanism clear, unambiguous and easy to access and understand?
Has the consent been freely given?
Does the consent mechanism detail the controller’s identity?
Does the consent mechanism name any third-party controllers who will be relying on the consent?
Have you defined the purposes of the processing in the consent mechanism?
Have you detailed the processing activities in the consent mechanism?
Have you ensured that the consent mechanism contains the individual’s right to withdraw consent at any time and details how to do this?
Where applicable, have you obtained separate consent for different processing operations using granular options?
Have you kept the consent mechanism separate from any terms & conditions?
Do your consent mechanisms contain an affirmative action that means the individual must take deliberate and specific action to opt in or agree to the processing?
Do your consent mechanisms avoid technical or legal jargon and confusing terminology?
Are oral consent confirmations accurately recorded and retained for evidencing consent?
Have you obtained consent using an active opt-in mechanism? (examples included below)

  • signing a consent statement on a paper form
  • ticking an opt-in box on paper or electronically
  • clicking an opt-in button or link online
  • selecting from equally prominent yes/no options
  • choosing technical settings or preference dashboard settings
  • responding to an email requesting consent
  • answering yes to a clear oral consent request
Where you need to obtain explicit consent for processing special category data; have you ensured that the explicit consent statement refers specifically refer to the element of the processing that requires the explicit consent?
Is any explicit consent separate for all other forms of consent in your mechanisms?
Have you ensured that no pre-ticked boxes are used to obtain consent?
If obtaining consent via a website, have you ensured that individuals do not need to ‘login’ or create an account to give consent?
If your consent mechanism is directly at a child, have you ensured that the style and language is child appropriate?
If you are offering online services to children and are relying on consent, have you included age-verification measures to ensure that you adequately seek parental consent for children under 13?
Do you keep a record of all consent that includes the below?

  • Who consented?
  • When they consented
  • What they were told at the time
  • How they consented
  • If consent was given orally, a recording of this conversation or other form of evidence
Do you have processes for withdrawing consent and recording such withdrawals? (i.e. online preference-management tools, unsubscribe links in emails and/or providing customer-service phone numbers)
Have you ensured that where consent is withdrawn, the individual will not suffer any detriment (i.e. loss of services, access to site etc)
Where consent is given by a parent for a minor, do you utilise a control for revisiting consent when the child becomes an adult?
Do you have a process for reviewing your consent mechanisms on an annual basis?
Are processing operations that rely on consent regularly assessed to ensure that consent is still the most appropriate lawful basis?
Has reviewing consent mechanisms and recording consent been allocated to a specific individual?
Do you offer individuals real choice and control over how you use their data?
Do you offer individuals options to review their consent?





Once completed, the auditor should complete the below section and gain Director/High Level Management sign off.

Have you dated and saved the completed review in your document control/compliance program?                 YES/NO

AUDITOR                                                                   SENIOR MANAGER


Signed:            _______________________              Signed:            _______________________

Print:               _______________________              Print:               _______________________

Date:               _______________________              Date:               _______________________