The GDPR guide to consent management for small businesses

In this article, we set out how small businesses can comply with GDPR through seven steps. As you know, the GDPR is an extensive piece of legislation requiring organisations that store or otherwise process data of EU citizens or residents to abide by certain data protection rules and principles. One of the most important rules of GDPR is that your business needs to have a lawful basis for processing personal data. Having a legal basis is meant to protect individuals from anything like annoyance (like those nasty spam emails that fill up our inbox) to something that constitutes a more serious breach of privacy law and poses an actual threat to our rights and freedoms. Today, we’re going to talk about one of those legal bases for processing, i.e. consent.

In today’s article, we will guide you through the seven elements of consent management (which is not limited to cookies and consent management platforms, although we do like them) to enable your small business to navigate the dark, murky waters of the GDPR, national telecommunications laws (and very soon, the EU’s new e-privacy directive).

This article is the second instalment in our Transformer Series, designed to enable you to become your very own cyber security and GDPR compliance transformer. From articles to workshops and everything in between, we will guide you through all the things you need to do to become GDPR compliant and cyber secure. And we’ll try to keep the legal lingo to a minimum, we promise.

  1. What are the lawful bases for processing data and why do I need one?

Let’s start with the second question here: Why do you need a lawful basis for processing personal data? Well, you have to understand that the GDPR wants one thing above all else: To protect individuals’ privacy. That’s a noble objective that we can get on board with, right? In order to protect individuals’ privacy, the GDPR wants businesses to think twice before they ask for someone’s personal data and to have a good reason for keeping (or, “processing”) it.

Consent is not the only legal basis for processing your business can rely on. In fact, any one of six legal bases can be used and it’s up to you to decide which legal basis applies to your specific situation and processing activity.

The lawful bases for processing personal data under the GDPR are:

  1. Consent

  2. Performance of a contract

  3. Legal obligation

  4. Vital interests of data subjects or other individual

  5. Public Interest

  6. Legitimate interests of the controller

For most (small) businesses, your lawful basis for processing personal data under the GDPR will be either consent, performance of a contract or legitimate interest. It’s important to know that your legal basis for processing can differ depending on which piece of personal data you process as a business and how you do so. For example, your lawful basis for processing personal data through your website (through cookies) might be consent, but your lawful basis for processing personal data by providing a service might be performance of a contract. Still with us? Good. Let’s zoom in on consent.

2. Elements of consent






Can be easily withdrawn


Consent must be freely given; there must not be any condition or risk attached to the request for consent and data subjects must not be cornered into giving consent. In other words: data subjects need to be able to say no.

“In order to be free, we must be informed”, as we’re sure that some philosopher has once said. They were probably anticipating contemporary privacy laws. Consent must be informed: Consent can only be given after receiving all relevant information about the processing.

Consent must also be specific... “The request for consent shall be presented in a manner which is clearly distinguishable from the other matters.” It’s important to remember that you should phrase your request for consent so that the individual can know exactly what they’re consenting to. That way, you don’t have to get into discussions about what you said, what you meant to say, what they thought you said and what they think about what you thought that they said. Or something like that.

...and explicit (or unambiguous), that is, there should be no question about whether the data subject has consented. “Silence, pre-ticked boxes or inactivity should not constitute consent”.

Consent must be given before any processing activities commence. The GDPR agrees with our parents: Ask for permission and don’t ask for forgiveness after the fact.

Consent must be easily withdrawn. Have you ever tried to unsubscribe from Amazon Prime? No? Try it. It’s virtually impossible. Don’t be like Amazon, and make it as easy for data subjects to withdraw consent as it was for you to obtain consent.

And finally, you must be able to demonstrate that you’ve obtained consent and that this consent fulfills all of these requirements. This is done through a process that we call consent management.

3. What is consent management?

Consent management is the process of requesting, obtaining, storing and withdrawing consent in order to be legally compliant.

Website consent management

For many small businesses, their website is one of the main areas of non-compliance with the law. When it comes to consent management on your website, there are different laws and regulations to take into account: The GDPR, local telecommunications laws and the e-privacy Directive, which will soon be replaced by the e-Privacy regulation.

On your website, you process the website user’s personal information through the use of cookies. Cookies are text files with small pieces of data that are used to identify your computer and track your activity on a website. These text files let you use a website without having to log in twice, for instance, and remember your preferences for the use of a website to make your experience more personalised and pleasant. In many ways, cookies make the internet work like we expect it to.

Marketing, tracking and so-called third-party cookies are used to remember what you do on certain websites, so that shops or other businesses can target you with ads (and that’s why you’re seeing all those shoe adverts, Karen). For these types of cookies, which aren’t essential to the normal operation of the website, businesses must ask for permission. This consent must fulfil the requirements set out above, in that the consent must be given in advance, freely, informed, specific, unambiguous and must be easily withdrawn. You must be able to show that the consent fulfills these requirements, which we sometimes call consent management.

A lot of websites have the possibility to include a cookie banner or pop-up, where you ask for your website user’s consent for the use of cookies, but often these do not comply with cookie regulation as they either contain pre-ticked boxes, are not specific or simply state that by using the website, you consent to the use of cookies. And that is definitely not allowed, as your website users need to be free to say no.

Using a GDPR consent management platform or cookie consent manager such as Usercentrics is a great way to comply with local telecommunication laws, the GDPR and the e-privacy directive.

What is a consent management platform?

A consent management platform or CMP is a piece of technology that can be used on websites to obtain the legal consent from users to process their personal data via your website. It allows you to easily inform your data subjects about this specific processing activity, obtain their consent and an opt-in for further communications. You can show the world that you take legal compliance seriously, which not only benefits your reputation, but might save you a headache and a hefty GDPR fine. Who said balancing compliance and marketing had to be hard?

4. General GDPR consent management

Your website is not the only place where you need to manage consent-- if you rely on consent as the legal basis for processing personal data. Remember that you can also rely on one of the five other lawful bases for processing personal data under the GDPR.