Consent is one of the six lawful bases for processing personal data under the GDPR, and it is often the most scrutinised. Article 7 sets out strict conditions: consent must be freely given, specific, informed, and unambiguous. It must be as easy to withdraw consent as it was to give it. And organisations must be able to demonstrate that consent was obtained — which means keeping thorough records.
GDPR4All's Consent Management module provides a structured way to create, track, and manage consent records throughout their entire lifecycle, from the moment consent is given to its eventual withdrawal or expiry.
What Consent Means Under the GDPR
The GDPR sets a high bar for valid consent. All four of the following conditions must be met:
- Freely given — the individual must have a genuine choice. Consent is not free if there is a clear imbalance of power (e.g., employer-employee) or if consent is bundled as a condition of a service that does not require it.
- Specific — consent must relate to a defined, particular purpose. Blanket consent for vaguely described processing is not valid.
- Informed — before giving consent, the individual must be told who is processing their data, why, and what their rights are.
- Unambiguous — consent requires a clear affirmative action. Pre-ticked boxes, silence, or inactivity do not constitute consent.
For special category data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life, or sexual orientation), the GDPR requires explicit consent, which demands an even clearer and more deliberate indication of agreement.
Creating Consent Records
Navigate to Compliance > Consent and click New Consent Record to begin documenting a consent interaction.
Key Fields
- Data subject name — the name of the individual who gave consent.
- Data subject email — a contact identifier for the individual.
- Purpose — a clear, specific description of what the individual consented to. For example, "Receiving weekly marketing emails about product updates" rather than simply "marketing".
- Method — how consent was obtained. GDPR4All supports several methods:
- Opt-in form — a web form, paper form, or other mechanism where the individual actively opted in.
- Written — a signed document or letter.
- Verbal — spoken consent (ensure you document when and how it was recorded).
- Electronic — a digital mechanism such as clicking an "I agree" button or ticking an unticked checkbox.
- Consent date — the date on which consent was given.
- Expiry date — an optional date after which the consent automatically expires. Setting an expiry date is good practice, as it forces you to re-confirm consent periodically.
- Notes — any additional context, such as a reference to the specific form used, the version of the privacy notice the individual was shown, or the circumstances under which consent was obtained.
Consent Lifecycle
Every consent record in GDPR4All follows a clear lifecycle with three possible statuses:
Active
When consent is first recorded, it starts in the Active state. This means the individual's consent is current and valid, and you are authorised to process their data for the specified purpose.
Withdrawn
An individual has the right to withdraw their consent at any time, and the GDPR requires that withdrawal be as easy as the original consent was to give. When consent is withdrawn, the status changes to Withdrawn and you must cease the relevant processing.
Expired
If you set an expiry date on a consent record and that date passes, GDPR4All automatically marks the consent as Expired. This happens in real time — the platform computes the effective status by comparing the expiry date against the current date. Once expired, the consent is no longer valid, and you should either re-obtain consent or cease the processing.
Withdrawal Tracking
GDPR4All provides two convenient ways to record a consent withdrawal:
From the Detail Page
When viewing a consent record, the Withdraw button is available for any record with an Active status. Clicking it sends a request to update the record's status to Withdrawn and records the date and time of withdrawal. The button is only shown when the consent is currently active — you cannot withdraw consent that has already been withdrawn or has expired.
From the List Page
The consent list includes an inline withdrawal action. Active consent records display a withdrawal icon that opens a confirmation modal. Confirm the action and the consent is withdrawn immediately without navigating away from the list. This is particularly useful when processing multiple withdrawal requests.
In both cases, the withdrawal is recorded in the audit trail, providing evidence that you responded promptly to the individual's request.
Auto-Expiry
The auto-expiry feature works seamlessly in the background. When you view a consent record or load the consent list, GDPR4All checks the expiry date of each record against the current date. If the expiry date has passed, the record's displayed status is automatically shown as Expired, even though the underlying database record may still show its original status.
This means you do not need to manually update consent records when they expire — the platform handles it for you. However, it is good practice to periodically review expired consent records and decide whether to seek fresh consent or remove the data.
Connecting Consent to Your ROPA
Consent records should be linked to your Records of Processing Activities. If a processing activity in your ROPA relies on consent as its lawful basis, the consent records in this module serve as your evidence that valid consent was obtained.
When creating or reviewing a ROPA entry with "Consent" as the lawful basis, cross-reference the consent records in this module to ensure:
- You have a consent record for each individual whose data is processed under that activity.
- The purpose described in the consent record matches the purpose in the ROPA entry.
- No consent records have expired or been withdrawn without your knowledge.
Tips for Effective Consent Management
- Make withdrawal easy — the GDPR requires that it be as simple to withdraw consent as it was to give it. If consent was obtained with one click, withdrawal should require no more than one click. GDPR4All's withdraw button makes this straightforward from a record-keeping perspective, but ensure your public-facing mechanisms are equally simple.
- Be specific about purpose — each consent record should relate to a single, clearly defined purpose. Avoid bundling multiple purposes into one consent. If you process data for three different purposes, you need three separate consent records.
- Set expiry dates — while not strictly required by the GDPR, setting expiry dates on consent records is a best practice. It forces you to periodically re-engage with individuals and confirm their ongoing agreement. Consider expiry periods of 12 to 24 months, depending on the sensitivity of the processing.
- Keep records of how consent was obtained — it is not enough to know that someone consented; you must be able to demonstrate how. Use the Notes field to record the specific mechanism: which form was used, what version of the privacy notice was displayed, and the exact wording of the consent statement.
- Review regularly — schedule quarterly reviews of your consent records. Look for expired or withdrawn consents that should trigger a cessation of processing. Identify consent records that are approaching their expiry date and plan your re-consent campaigns accordingly.
- Respond to withdrawals promptly — when consent is withdrawn, stop the relevant processing without undue delay. Document when the processing actually stopped and confirm this with the individual if appropriate.
Consent management is one of the most operationally demanding aspects of GDPR compliance, but with structured record-keeping and the right tools, it need not be overwhelming. GDPR4All ensures every consent interaction is documented, trackable, and auditable.