Consent is a basis for legal processing (along with legitimate interests, necessary execution of a contract and others). For marketers in particular there has been much debate about the type of consent that might be required under this new regulation.
According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;”
The purposes for which the consent is gained does need to be “collected for specified, explicit and legitimate purposes”
In other words it needs to be obvious to the data subject what their data is going to be used for at the point of data collection.
Consent should be demonstrable – in other words organisations need to be able to show clearly how consent was gained and when.
Consent must be freely given – a controller cannot insist on data that’s not required for the performance of a contract as a pre-requisite for that contract.
Withdrawing consent should always be possible – and should be as easy as giving it.