Blog article
See all stories »




Consent is to give permission for something to happen.


Consent is one of the specific EU GDPR (General Data Protection Regulation) challenges impacting the Public Sector, Industries, Professional Services and includes most of the 22m SME (Small Medium Sized Enterprises) throughout Europe. In the digital world, websites, enterprise applications, mobile apps, games, portals, products, services and so much more are impacted by the need for consent.


Consent is covered throughout the lengthy GDPR regulatory document. Here are some of the extracts:  


  • Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the Data Subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
  • This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct, which clearly indicates in this context the Data Subject's acceptance of the proposed processing of his or her personal data.
  • Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
  • Consent should cover all processing activities carried out for the same purpose or purposes.
  • When the processing has multiple purposes, consent should be given for all of them.
  • If the Data Subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
  • Data Subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.
  • Where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her personal data.
  • The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the Data Subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  • When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
  • Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
  • The Controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
  • Processing is necessary to protect the vital interests of the Data Subject or of another natural person where the Data Subject is physically or legally incapable of giving consent.


The de facto standard for consent, largely everywhere, is the Terms and Conditions are in content form with the classic tick boxes or signature for acceptance.


Terms and Conditions in content form are simply not fit for purpose for meeting the demands of GDPR.


People often do not read the pages and pages of Terms and Conditions. Even those that attempt to read Terms and Conditions, setting aside those with a legal background or equivalent, does not mean they truly understand the complexity of the details.


GDPR states the consent request must be “clear” and “concise”. To reinforce this message, GDPR states “silence, pre-ticked boxes or inactivity should not therefore constitute consent”.


To repeat, Terms and Conditions in content form are simply not fit for purpose.


The reality is that Terms and Conditions in content form would fail “understandability” and “usability” tests for the different types of customers.


Terms and Conditions content are signed-off by compliance and lawyers, without respect to the profiles and experience of the targeted customers.


GDPR is about protecting the customer’s data and so the way we think about Terms and Conditions needs to change.  


RegTech Chatbots have the potential to set a new benchmark for Terms and Conditions.


There are three types of Chatbot conversational methods:

  • Natural Language Processing (underpinned by machine learning)
  • Single Question, Single Answer (underpinned by machine learning)
  • Scripts (underpinned by human controlled learning)


A Chatbot may use a blend of these methods during a conversation with a person.


Dialogue underpinned by machine learning is typically problematic for Terms and Conditions, as it is unacceptable to empower the AI to rewrite regulations and policies. Thus, the suitable solution is in dialogue scripts, which can be controlled through governance.   


RegTech Chatbots use scripts underpinned by Choices, Pathways and Outcomes, with the ability to record every dialogue-step. It is this approach that masks the complexity of the Terms and Conditions traditionally found in content form. The real-time capture of the dialogue data is used for compliance, audit, measurements and patterns. This is the new benchmark for consent, which has far wider implications in the areas of say the public sector, financial services, and health.   




Comments: (0)

Freddie McMahon

Freddie McMahon

Director Strategy and Innovation

DF2020 Ltd

Member since

04 Aug 2017



Blog posts




This post is from a series of posts in the group:

Internal Auditors in Financial Services

This community aims to provide related links, resources and news references, and to develop a forum for internal auditors to exchange views on various related items.

See all

Now hiring