DAT-010 Consent Management
Description
Where consent is the legal basis for processing, a mechanism exists to obtain, record, and withdraw consent. Consent is granular, freely given, specific, informed and unambiguous. Records of consent are maintained and withdrawal is as easy as granting. Consent is refreshed when processing purposes change.
Rationale
Consent without a proper management mechanism is not valid under GDPR. Consent records are required for demonstrating compliance and for fulfilling withdrawal requests.
Framework Mappings (5)
| DSP-08 | Data Privacy by Design and Default | partial |
| GDPR-Art.5.1a | Lawfulness, Fairness and Transparency of Processing | partial |
| PT-4 | Consent | full |
| P2.1 | Choice and Consent | full |
| P3.2 | Explicit Consent for Sensitive Information | partial |
Evidence (2)
Consent management platform configuration showing that consent is collected in a granular, freely-given manner with withdrawal mechanism in place.
Example: Consent Management Platform configuration export (OneTrust / Cookiebot / Usercentrics) — showing consent categories, opt-in design (no pre-ticked boxes), withdrawal mechanism active, and consent version history enabled
Test: Review the CMP configuration and live consent banner. Verify: (1) consent is opt-in by default (no pre-ticked boxes), (2) consent categories are granular (at minimum: analytics, marketing, functional), (3) a withdrawal mechanism is accessible from within the product (not only at sign-up), (4) version history or consent audit log is enabled.
Consent records log demonstrating that individual consents are captured with timestamp, version, mechanism of consent, and withdrawal events.
Example: Consent audit log export from CMP or database for a sample of 50 users — showing user ID (pseudonymised), consent timestamp, consent version, categories consented to, and any withdrawal events with timestamps
Test: Request a sample consent audit log export. Verify: (1) each record includes a timestamp, consent version, and categories, (2) withdrawal events are recorded when users opt out, (3) consent version in records matches the published privacy notice version at the time of consent, (4) log is retained for the duration required by the retention schedule.
Questions (2)
Where consent is relied upon as the legal basis for processing, does your organisation use a consent management mechanism that records granular, freely given, specific and withdrawable consent?
Consent must be opt-in by default (no pre-ticked boxes). Withdrawal must be as easy as granting consent. Consent records should include timestamp, version, and categories consented to.
How is individual consent recorded and managed?
A consent management platform or a structured database log capturing user ID, timestamp, consent version and categories is required to demonstrate valid consent. Unstructured consent capture cannot satisfy GDPR accountability requirements.