GDPR Consent Management: Building a Compliant Consent Framework

Written byHubSecure Editorial Team

Practical guides for secure client portals, RBAC, onboarding and regulated client operations.

Reviewed byHubSecure Security & Compliance Review

Reviewed for security positioning, workflow accuracy and implementation clarity.

Last updatedMay 7, 2026

Checked against the current HubSecure marketing site and product positioning.

Consent under GDPR is not the same as consent in everyday language. It is a legal standard with specific requirements, and organisations that rely on consent as their primary lawful basis often discover that what they collected was not valid consent at all. The EDPB's Guidelines on Consent provide extensive detail; this guide covers the practical essentials for regulated businesses.

Related HubSecure buying path

Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo

Related security, privacy and governance resources

Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.

Related use case

This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.

The four requirements for valid consent

1. Freely given

Consent is not freely given if the individual has no real choice or would suffer a detriment for refusing. This means:

• You cannot make consent a condition of a service (unless the processing is genuinely necessary for that service)
• Bundling consent for multiple processing activities into a single checkbox is not valid — each must be separately consented to
• Where there is a clear power imbalance (employer-employee), consent from employees is generally considered not freely given

2. Specific

Consent must be specific to each distinct purpose. Generic statements like "we may use your data for marketing and analytics purposes" do not meet the specificity requirement. Each purpose — email newsletters, phone calls, profiling, sharing with partners — requires its own consent.

3. Informed

Individuals must have enough information to make a meaningful decision before they consent. At minimum, you must tell them: who you are, what data will be processed, for what purpose, whether it will be shared with third parties, and the fact that they can withdraw consent at any time.

4. Unambiguous indication

Consent requires a positive, affirmative action — an opt-in, not an opt-out. Pre-ticked boxes, consent assumed from inaction, or consent buried in terms and conditions are all invalid. The action must be clear and distinguishable from other matters.

When not to use consent

Consent is often the wrong lawful basis. If processing is necessary to perform a contract with the individual, use contract performance (Article 6(1)(b)). If you are legally required to process the data, use legal obligation (Article 6(1)(c)). Using consent for processing that contract performance or legal obligation would justify creates an unnecessary consent management burden and gives individuals rights (easy withdrawal, potential erasure) that the situation does not require.

Managing consent records

Under Article 7(1), you must be able to demonstrate that an individual gave consent. This means your consent management system must capture:

• Who consented (linked to an individual record)
• When they consented (timestamp)
• What they consented to (the specific purpose and version of the consent notice shown)
• How they consented (which mechanism — form submission, checkbox, etc.)

Handling consent withdrawal

Article 7(3) states that withdrawal must be as easy as giving consent. If consent was given by clicking a checkbox on a website, withdrawal must also be possible with a comparable level of effort — not via a written letter to a compliance officer. When consent is withdrawn:

• Processing based on that consent must cease immediately
• Data collected solely on the basis of that consent must be deleted (unless another lawful basis applies)
• Withdrawal does not affect the lawfulness of processing carried out before withdrawal

Consent and marketing communications

For electronic marketing communications (email, SMS), the ePrivacy Directive (PECR in the UK) applies alongside GDPR. Generally, prior consent is required for marketing to individuals. B2B marketing to business email addresses may rely on the "soft opt-in" rule where the recipient is an existing customer and the marketing is for similar products or services.

How long does consent last?

GDPR does not set a maximum period, but the EDPB recommends refreshing consent periodically when the relationship is ongoing. If circumstances have changed since the original consent was given, you should re-seek consent. Document your consent refresh policy.

Can children give consent under GDPR?

Article 8 of GDPR limits children's ability to give consent for information society services to those aged 16 or over (member states can lower this to 13). Parental or guardian consent is required for younger children. Verify the child's age and keep records.

Official sources and further reading

Use these public sources to verify regulatory background and terminology. HubSecure content is product guidance, not legal advice.

• GDPR legal text
• EDPB guidelines
• ICO data protection guidance

Credibility notes

This guide is written for product and operations evaluation, not as legal advice. For compliance obligations, confirm requirements with qualified counsel or the relevant regulator.

Related HubSecure references: Security · DPA · Subprocessors · AML/KYC glossary · RBAC glossary

Reviewed for regulated teams

Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.

Authors · Reviewers · Editorial policy