Lawyer reviewed templates

how to draft a GDPR consent form uk

How to Draft a GDPR Consent Form in the UK

If you need to know how to draft a GDPR consent form in the UK, you are in the right place. Under UK GDPR — which retained EU GDPR principles post-Brexit and is enforced by the ICO — consent must be freely given, specific, informed, and unambiguous. That means no pre-ticked boxes, no bundled permissions, and no vague language about how you will use someone's data. Getting this wrong is not just a compliance risk; it can invalidate your entire basis for processing personal data, expose you to ICO enforcement, and damage trust with customers. This guide walks you through every element a valid UK GDPR consent form must contain, from the identity of the data controller to withdrawal rights and third-party disclosures. It is written for founders and small business operators who need to get this right without spending hours reading ICO guidance documents. We also flag where the complexity warrants a solicitor's input, because some consent scenarios — particularly in healthcare, finance, or where children's data is involved — go beyond what a standard form can handle.

Generate GDPR Consent Form Now

Instant Access

Lawyer Reviewed

Verified

Ready for export

PDF • Word Doc

Why this matters

Most UK founders drafting a GDPR consent form for the first time either copy a template they found online or assume their privacy policy covers it. Neither is reliable. A consent form is a distinct legal document that captures a specific, affirmative act from the individual. If it is vague, bundled with terms, or relies on implied agreement, it is not valid consent under UK GDPR. The ICO has fined businesses for exactly this. The real pain here is not knowing what the form must say, in what order, and how to word it so it holds up if challenged. This page solves that.

The Atornee approach

Atornee lets you generate a UK GDPR consent form that is structured around ICO requirements, not a generic international template. You answer a short set of questions about your business, the data you are collecting, and how you intend to use it. Atornee builds the form around your specific context — including the correct controller identity, lawful basis statement, and withdrawal mechanism. It is not a one-size-fits-all download. It is a starting point built for your situation, which you can review, edit, and if needed, take to a solicitor for sign-off before using it with customers or employees.

What you get

A UK GDPR consent form structured to meet ICO requirements, including controller identity, purpose, and withdrawal rights

Plain-English language that satisfies the 'informed' and 'unambiguous' consent standard without confusing your users

Separate consent fields for distinct processing purposes, so you avoid the bundling problem that invalidates many forms

A clear withdrawal mechanism statement that tells individuals exactly how to withdraw consent at any time

Guidance flags within the document highlighting where your specific use case may need solicitor review

Before you sign checklist

1. Confirm that consent is actually the right lawful basis for your processing — legitimate interests or contract may be more appropriate in some cases

2. List every specific purpose for which you are collecting data before drafting, so each gets a separate consent field

3. Identify your data controller details: your business name, registered address, and contact information for data queries

4. Decide how individuals will withdraw consent and document that mechanism clearly in the form

5. Check whether you are sharing data with third parties — if so, name them or describe the categories in the form

6. Remove any pre-ticked boxes or implied consent language from your draft before finalising

7. If you are collecting data from under-18s or processing special category data, escalate to a solicitor before using the form

FAQ

Does UK GDPR still apply after Brexit?

Yes. The UK retained GDPR principles through the UK GDPR and the Data Protection Act 2018. The ICO enforces it. The rules around consent are substantively the same as EU GDPR, so any guidance referencing EU GDPR consent standards is largely applicable in the UK, but you should check ICO guidance specifically for UK-specific nuances.

Can I use a checkbox in my consent form?

Yes, but it must be unticked by default. Pre-ticked boxes do not constitute valid consent under UK GDPR. The individual must take a clear, affirmative action — ticking the box themselves — to signal agreement. Silence or inaction is not consent.

Do I need a separate consent form if I already have a privacy policy?

Yes. A privacy policy tells people how you use their data. A consent form is the mechanism by which they actively agree to a specific use. They serve different functions. Your privacy policy should be linked from your consent form, but it does not replace it.

What happens if someone withdraws consent?

You must stop processing their data for the purpose they consented to, as soon as reasonably practicable. You cannot make withdrawal difficult or penalise someone for withdrawing. Any processing you carried out before withdrawal remains lawful, but you cannot continue after the withdrawal is received.

Is a GDPR consent form enough for employee data?

Usually not. The ICO has been clear that consent is rarely the appropriate lawful basis for processing employee data, because the power imbalance means consent is unlikely to be freely given. For employment contexts, legitimate interests or contractual necessity are typically more appropriate. Take advice from a solicitor if you are dealing with employee data.

Can I draft a GDPR consent form myself or do I need a solicitor?

For straightforward cases — collecting a customer's email for marketing, for example — a well-structured template reviewed against ICO guidance is a reasonable starting point. For anything involving special category data, children, health information, or complex third-party sharing, you should get a solicitor to review it before use. The cost of getting it wrong outweighs the cost of an hour of legal advice.

Related Atornee Guides

Cheap Contract Solicitor Alternative (UK)

Useful if you want to understand broader options for managing legal documents without full solicitor fees.

Cheap Solicitor for NDA (UK)

Relevant when your consent form sits alongside a confidentiality agreement, for example in a research or partnership context.

Atornee Use Cases

See how UK founders across different roles use Atornee to handle compliance documents including GDPR forms.

External References

ICO Guidance for Organisations

The ICO is the UK data protection authority. Their consent guidance is the definitive reference for what a valid UK GDPR consent form must contain.

UK Legislation

Primary statutory source for the UK GDPR and Data Protection Act 2018, which underpin all consent requirements discussed in this guide.

GOV.UK Business and Self-employed

Official UK government guidance on business compliance obligations, including data protection responsibilities.

Trust & Verification Policy

Authored By

Atornee Editorial Team

UK Data Protection and Compliance Content

Reviewed By

Compliance Review Desk

UK Business Legal Content QA

Last reviewed on 3/4/2026

"This content is based on ICO published guidance, the UK GDPR statutory text, and practical patterns observed across common UK small business data collection scenarios. It reflects the consent standards the ICO applies when assessing enforcement cases."

References & Sources

10k+

4.9★

Ready to generate your document?

Review, edit, and export your legal document in minutes. Stop wasting time reading templates from 2010.

Generate GDPR Consent Form Now

No hidden fees
Instant PDF/Word Export
Lawyer Reviewed Templates

By continuing, you agree to our Terms. This is AI-generated guidance, not legal advice.