Consent is one of the six lawful bases for processing personal data under GDPR, yet most organisations handle it poorly. Cookie banners and privacy policies create an illusion of control while giving individuals little real agency over their data. ISO/IEC 27560 changes this by defining a structured, verifiable approach to consent records.

What ISO/IEC 27560 defines

The standard specifies how to create consent records and consent receipts that are machine-readable, auditable, and interoperable. It builds on ISO/IEC 29184 (online privacy notices and consent) and introduces a clear information structure for:

  • Consent records — The organisation’s internal record of what was consented to, when, and under what conditions
  • Consent receipts — A receipt given to the individual as proof of their consent, including all relevant details about the processing

The standard covers the full lifecycle: collection, storage, retrieval, modification, and withdrawal of consent.

Why it matters now

Two developments make ISO 27560 particularly timely:

GDPR enforcement is maturing. Regulators increasingly expect organisations to demonstrate not just that consent was obtained, but that it was informed, specific, and properly recorded. ISO 27560 provides the structure to meet this expectation.

The EUDI Wallet is coming. Under eIDAS 2.0, digital wallets will need robust consent and access control mechanisms. ISO 27560’s consent receipt structure provides a foundation for transparent data sharing in wallet ecosystems — something I’ve been working on through my contributions to CEN TS 18297.

The standard is now free

In a significant step for adoption, ISO/IEC 27560 has been made freely available — a rare exception to ISO’s business model. This was achieved through persistent advocacy by the editorial team. You can download it directly from ISO.

How to get started

If your organisation processes personal data based on consent, here are practical first steps:

  1. Audit your current consent mechanisms — Map where and how you collect consent today
  2. Review against ISO 27560’s information structure — Identify gaps in what you record
  3. Implement consent receipts — Give individuals verifiable proof of their consent
  4. Integrate with your ISMS — If you have ISO 27001, consent records should be part of your information security controls

About my involvement

I served as lead editor of ISO/IEC 27560 within ISO/IEC SC27/WG5. Our team — including co-editors Harsh Pandit, Andrew Hughes and Kelvin Magtalas — also published research on implementing the standard for GDPR and the Data Governance Act (DGA), which won best paper at ENISA’s Annual Privacy Forum 2024.

If you need help implementing consent management aligned with ISO 27560 — whether for GDPR compliance, EUDI wallet integration, or as part of a broader privacy programme — get in touch.