The ICO states the following on how you should obtain, record and manage consent:
“Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
the name of your organisation;
the name of any third-party controllers who will rely on the consent;
why you want the data;
what you will do with it; and
that individuals can withdraw consent at any time.
You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default setting. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.
Keep records to evidence consent – who consented, when, how, and what they were told.”
Also,
“Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.”
Adapt has had the following features to enable Agencies to facilitate the Consent approach if required:
The Consent/Permission Request workflow can be used for “consent request”
The Record Consent/Permission workflow can be used for “who consented, when, how, and what they were told”.
Note: This workflow includes recording ‘Explicit Consent’
The Adapt Journal records evidence that each workflow has been run and can be used to prove the Agency is “Keeping records to evidence consent”.
Monitoring the Consent Dashboard and using the GDPR Consent/Permission Report can be used for “Keeping consents under review”.
The Refresh Consent workflow can be used to “refresh them if anything changes”.
The Right to Object workflow can be used to “withdraw consent at any time”.
Please see GDPR - Using the Consent Approach in Adapt for more information.