Consent requests must be separate from other contract terms and conditions and/or from other information notices. 

Consent should not be a pre-condition of signing up for a service unless the consent is necessary in order to deliver the service itself.

Consent must be an active choice for the individual giving consent.  Silence, pre-ticked boxes or inactivity should not be viewed to constitute consent.

Un-ticked opt-in boxes or other similar active opt-in methods should be used.

You must allow individuals to consent to specific (or granular) types of data processing.  A generic catch-all consent is not sufficient.

You must name your organisation and any third parties who will be relying on the individual's consent. 

You must keep records to demonstrate an individual's consent including, what they were told and when and how they consented. 

You must tell people that they have the right to withdraw their consent at any time and how they can do this.  It must be as easy to withdraw consent as it is to give it.  This means you will need to have simple and effective withdrawal mechanisms in place.

Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Consent is not freely given if there is an imbalance in the relationship between the individual and the data controller. 

Consent cannot be a pre-requisite for a service. 

This is particularly relevant in the case of health research where a patient may feel obligated to give consent to a doctor on whom they are reliant for their healthcare.