We need to make a series of changes in Mahara to comply with the GDPR. More info is available on the wiki at https://wiki.mahara.org/wiki/Developer_Area/Specifications_in_Development/GDPR_compliance
It should be possible for a user to revoke their consent to the T&C. If that is done, their account would be suspended as it's currently either full consent or no consent.
I can imagine this could look like the following:
1. New menu item "Privacy" in the "User menu" -> "Settings" -> "Privacy".
2. On that page they see the privacy statement (and date of when last updated) that they agreed to (site and institution privacy statements) as well as show the consent switches that they have set. They are able to set those to "No".
3. When they want to save their changes and there is a "No" selection, they see a modal letting them know that their account will be suspended if they continue. They have two choices:
1. Double-check that they didn't make changes accidentally.
2. Go through with the change. Then their account will be suspended automatically and the institution administrators (or site admin for "No institution" or if there is no institution admin) receive a notification about this so that they can follow up with the user if needed.
There is one caveat: when consent is withdrawn, it will usually cover all of the rights to processing, which includes holding the data at all. Fortunately for most installations this shouldn't be a problem because in most cases there's more than just consent for the data being the right to process (provision of a service covers a fair amount too)
The user should be told that their account will be suspended, and reviewed by an administrator - because in some cases, the administrator will need to look at it as if it's a request for deletion as there may not be a lawful basis to hold the data any more. This will be subject to any data retention policies an institution might have, and that's a matter for them.
That said, this is based on the current published advice; the Article 29 Working Party is due to publish some guidance next month on consent and in particular on withdrawal of it. We may need to look again once that is published.