What is Proof of Consent under GDPR?

Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Managment

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Brazil’s LGPD

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Consent is one of the primary legal bases that organizations leverage to collect and process personal data. As per Article 7 of the GDPR, consent can only be an appropriate legal basis for data processing if it is freely given, specific, informed and an unambiguous indication of the data subject’s wishes. This requires that an individual’s consent must be given voluntarily without any pressure or influence that could affect his or her choice. The use of dark patterns such as pre-selected tick-boxes, cookie walls or other such tactics used in websites that misguide users and force them to consent is prohibited under the GDPR. Data subjects should also be allowed to withdraw their consent at any time without any detriment. Furthermore, separate consent must be obtained for separate data processing purposes.

The GDPR also requires data controllers to be able to provide evidence that the data subject has given consent to the processing operation where processing is based on the data subject’s consent. This article digs deeper into the data controller’s responsibility of being able to demonstrate consent compliance.

What is Proof of Consent?

Article 7(1) of the GDPR states as follows:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

While talking about burden of proof, Recital 42 of the GDPR states as follows:

“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

The afore-mentioned provisions of the GDPR indicate that the burden to demonstrate or prove that consent has been obtained from the data subject lies with the data controller. It is also consistent with the accountability principle of the GDPR, as stated in Article 5(2), that the controller shall be responsible for, and be able to demonstrate compliance with data protection principles.

As per the European Data Protection Board updated Guidelines on Consent, data controllers have liberty to create their own methods to demonstrate consent, in a way that does not hinder their daily operations. This should, however, not result in data controllers having excessive amounts of additional data processes. This means that organizations should have enough data to show consent was obtained but they should not be collecting any more information than necessary - to ensure data minimization.

What organizations must do to prove or demonstrate data subject’s consent?

To comply with the afore-mentioned requirements of the GDPR and EDPB Guidelines on Consent, organizations are required to do the following:

Keep a record of consent statements received, as to indicate how consent was obtained, when consent was obtained, and the information provided to the data subject at the time.
Be able to demonstrate that the data subject was informed and the controller’s workflow met all relevant criteria for a valid consent. According to the EDPB, in an online context, a controller must retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information presented to the data subject. It is to be noted that referring to a correct configuration on the respective website may not be sufficient.
Keep a copy of the information that was presented to the data subject at the time of obtaining consent from him/her.
As a best practice, consent should be refreshed at appropriate intervals.

Roadmap to Compliance

Securti’s Consent Management Platform helps organizations maintain comprehensive audit trails to demonstrate compliance as well as respect the data subject’s latest preferences. The audit trail is a detailed dashboard consisting of the following:

Data subject identity (online identifier)
Consent date (time and date stamp)
Copy of data capture (including any information presented to the data subject)
Cookie categories
Consent status (whether consent has been granted, declined or withdrawn)
Location code (cookie domain)
First party and third party

Securiti’s PrivacyOps platform captures the exact text of the agreement and the types of cookies to which the data subject consented to, thereby fulfilling the proof of consent requirement under the GDPR.

Conclusion

There can be several data processing operations where the data subject’s consent is considered an appropriate legal basis. For example, consent is relevant in email marketing and the installation of non-essential cookies and other similar tracking technologies. However, failing to obtain valid consent may expose organizations to exorbitant amounts of fines and penalties. Most global privacy regulations require organizations to not only obtain freely given consent but also to have proof of this consent for certain data processing activities. Doing this through manual methods is almost impossible given the amount of data that flows in and out of an organization in a single day.

Organizations need to find a solution that will help them automate this process, making it effective as well as cost and time-efficient. The Securiti Consent Management Solution offers:

Periodic scanning of websites
Consent orchestration
Configurable consumer preference center
Configurable workflows
Dynamic consent refresh
Granular and comprehensive consent records for audit and reporting

Request a demo today and see how it can help your organization comply with global consent regulations.

Rapid Path to
CPRA Compliance.

Get Your Privacy Center, Fully Functional In Minutes

Take a
Tour

Table of contents

What is Proof of Consent?

What organizations must do to prove or demonstrate data subject’s consent?

Roadmap to Compliance

Conclusion

Rapid Path to
CPRA Compliance.

Newsletter

Company

Resources

Terms

Get in touch

What is Proof of Consent under GDPR?

Table of contents

What is Proof of Consent?

What organizations must do to prove or demonstrate data subject’s consent?

Roadmap to Compliance

Conclusion

Rapid Path toCPRA Compliance.

Almost done

Share this

Join Our Newsletter

Related Content

Cookie Consent Requirements in Slovakia

Consent Requirements Under Thailand’s Data Protection Framework

Privacy-by-Design and Privacy-by-Default

Newsletter

Company

Resources

Terms

Get in touch

Rapid Path to
CPRA Compliance.