This is the seventh in a series of 12 posts with some advice from the ICO on how to start preparing for the advent of the GDPR in May 2018.
You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Like the DPA, the GDPR has references to both ‘consent’ and ‘explicit consent’. The difference between the two is not clear given that both forms of consent have to be freely given, specific, informed and unambiguous. Consent also has to be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, preticked boxes or inactivity. If you rely on individuals’ consent to process their data, make sure it will meet the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. Note that consent has to be verifiable and that individuals generally have stronger rights where you rely on consent to process their data.
The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.
For more details go to the Information Commissioners Office here
Source: ICO – Preparing for the General Data Protection Regulation